The Department of Homeland Security (DHS) has been working in unison with the Office of Management and Budget to assess the risk management posture of the Federal government. They’ve been using a combination of agency self-reporting and independent verification to evaluate each agency’s mitigation techniques as well as the nation’s overall security standing.
DHS’ latest update on that standing indicates trouble ahead if gaps are left uncorrected. Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications, spoke at the State of Play hearing conducted by the House IT subcommittee last week to voice concerns over agency performance.
“What we saw through years of assessments was continued poor patch management programs,” Manfra said.
She said agencies haven’t been doing their due diligence when it comes to tackling vulnerabilities on their networks. The testimony that followed provided insight into what DHS sees as the biggest roadblocks, the directions–or directives–they’ve been giving to correct course, and what might be in store as they hit the throttle on the Continuous Diagnostics and Mitigation (CDM) Program and other initiatives.
A Legacy of Leaky Security
Much of Manfra’s testimony surrounded critical vulnerability patching. Agencies are having a hard time complying with DHS timeframes to get the holes in their ships plugged. It’s a familiar refrain, but Manfra pointed toward legacy IT infrastructure as the biggest limiting factor.
“Some legacy systems can no longer be patched,” she declared. “Others are not supported by vendors and some experience significant performance issues if not reconfigured during the security upgrade process.”
Manfra argued DHS support now invests too much time, effort and government resources on alternative mitigation techniques. She noted that the transition to modern IT won’t just offer convenience benefits; the new tech will actually keep critical American assets safer, thereby plugging those leaks and reinforcing the nation’s hull.
Why Accountability Matters
Until the old tech does get decommissioned, Manfra says DHS’ congressionally enacted authority is keeping agencies on their toes.
In May 2015, under the Federal Information Security Modernization Act, DHS put out a binding operational directive requiring agencies to get critical vulnerability patching down to 30 days. The directive came on the heels of several cyberattacks, including the Office of Personnel Management breach that dumped 4 million worker records.
“In FY ’14, average time to patch was in excess of 200 days, which is bad,” Manfra stated, to a touch of muted and uneasy laughter in the hearing room. “After the directive, which shows how these things change behavior, we’re averaging 10 to 15 days. It’s helping [agencies] prioritize their very limited resources by focusing on known issues.”
This is part of a broader push from the overarching Federal government to call attention to areas of need within agency IT infrastructure. FITARA and the Modernizing Government Technology (MGT) Act have also been a means to establish both the impetus and motivation to overhaul dated practices. FITARA scorecards have increased transparency and forthcoming MGT appropriations promise the support.
It’s providing agencies with a sense of accountability and actionable steps, Manfra said, that will get the most imperative items out of the way sooner and “fix the worst things first.”
Why Visibility Matters
While it’s great that agencies are reporting much swifter patch times, Manfra called out how important it is for DHS to be able to double-check on that reporting.
“The important way we were able to be successful with this is that we can independently validate, we’re not relying on self-reporting,” Manfra said.
She pointed to CDM as a key contributor to that fact.
Phase 1 of CDM involved hardware and software asset management. The rollout of sensors on all internet-facing devices revealed that agencies had a vast amount of unrecognized machines on their networks. But the rollout also helped validate the claims agencies were making about recognized machines, Manfra explained.
“[With] the external scanning that we’re doing of all internet-facing devices we can say, ‘No, I can see that you haven’t actually patched,’” she said.
That’s an important area of oversight, and just another added benefit to the kind of network visibility she hopes will bring security into a new age.
“I believe that this will fundamentally transform the way that we do vulnerability management for the government,” Manfra said. “But it has to be through the deployment of these standardized tools that then feed data back to an agency CIO and DHS…We must build capacity within agencies to implement our guidance, act on threat information, and fully leverage the capabilities and service that DHS has to offer.”