[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
THE CURRENT STATE OF DHS'S EFFORTS TO SECURE FEDERAL NETWORKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY AND
INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
MARCH 28, 2017
__________
Serial No. 115-10
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
_________
U.S. GOVERNMENT PUBLISHING OFFICE
26-908 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
John Katko, New York Bonnie Watson Coleman, New Jersey
Will Hurd, Texas Kathleen M. Rice, New York
Martha McSally, Arizona J. Luis Correa, California
John Ratcliffe, Texas Val Butler Demings, Florida
Daniel M. Donovan, Jr., New York Nanette Diaz Barragan, California
Mike Gallagher, Wisconsin
Clay Higgins, Louisiana
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Brendan P. Shields, Staff Director
Kathleen Crooks Flynn, Deputy General Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Clay Higgins, Louisiana Val Butler Demings, Florida
Thomas A. Garrett, Jr., Virginia Bennie G. Thompson, Mississippi
Brian K. Fitzpatrick, Pennsylvania (ex officio)
Michael T. McCaul, Texas (ex
officio)
Brett DeWitt, Subcommittee Staff Director
K. Christopher Schepis, Minority Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 5
Prepared Statement............................................. 7
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 9
Witnesses
Ms. Jeanette Manfra, Acting Deputy Under Secretary for
Cybersecurity, National Protection and Programs Directorate,
U.S. Department of Homeland Security:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Mr. Gregory C. Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office:
Oral Statement................................................. 17
Prepared Statement............................................. 18
Mr. Chris A. Jaikaran, Analyst, Cybersecurity Policy,
Congressional Research Service, Library of Congress:
Oral Statement................................................. 25
Prepared Statement............................................. 26
Appendix
Questions From Chairman John Ratcliffe for Jeanette Manfra....... 41
Questions From Ranking Member Cedric L. Richmond for Jeanette
Manfra......................................................... 46
Questions From Honorable James R. Langevin for Jeanette Manfra... 50
Questions From Honorable Val Demings for Jeanette Manfra......... 54
Questions From Chairman John Ratcliffe for Gregory C. Wilshusen.. 57
Questions From Honorable James Langevin for Gregory C. Wilshusen. 59
Questions From Chairman John Ratcliffe for Chris Jaikaran........ 60
THE CURRENT STATE OF DHS'S EFFORTS TO SECURE FEDERAL NETWORKS
----------
Tuesday, March 28, 2017
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:10 a.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, McCaul, Katko, Donovan,
Gallagher, Fitzpatrick, Richmond, Thompson, Jackson Lee,
Langevin, and Demings.
Mr. Ratcliffe. Good morning. The Committee on Homeland
Security Subcommittee on Cybersecurity and Infrastructure
Protection will come to order. The subcommittee is meeting
today to receive testimony regarding the current state of the
Department of Homeland Security's efforts to secure Federal
networks. I recognize myself for an opening statement.
I see cybersecurity as one of the preeminent domestic and
National security policy challenges of our generation. As the
Chairman of the Cybersecurity and Infrastructure Protection
Subcommittee, I feel especially grateful for the opportunity to
work with other Members on this panel to have a direct impact
on the cybersecurity posture of our country.
This is a duty that we do not take lightly. Oftentimes, the
American people hear about committees performing oversight.
They think there is this misguided perception that we are
simply performing a routine check-up, taking the temperature,
if you will, and then moving on.
That mindset isn't what compels us to meet here today.
Today's oversight is one of committed on-going engagement.
Securing Federal networks is, and rightfully should be, one of
the central priorities of this subcommittee, of this committee,
of this Congress, and for the American people.
While today's hearing represents a small public-facing
sliver of this engagement, my commitment to all stakeholders
impacted by this important issue is that our continued efforts
to improve the security of our Federal networks will be
conducted in a manner that fully recognizes the seriousness of
the threats posed by our cyber adversaries. While the stakes
are indeed high, this subcommittee is uniquely positioned to be
part of the solution.
After all, the Department of Homeland Security is required
by law to play a vital and central role in the Federal
Government's policy, procedures, and operations for
cybersecurity of our Federal agencies.
Specifically, DHS is entrusted with carrying out important
legislative priorities established by the Cybersecurity Act of
2015 and the Federal Information Security Modernization Act of
2014, often referred to as FISMA.
Ensuring the effective execution of the Department's
cybersecurity initiatives has never been more important than it
is today. Just last week, the committee heard from a panel of
experts about the evolving cyber landscape.
Retired General and National Security Advisor Keith
Alexander, noted ``Our increasing reliance on digital connected
devices means that, while tanks, bombers, and fighter jets are
certainly not obsolete, there are newer and perhaps more
insidious ways of having similar effects without the need for a
large investment that those assets require.''
Bad actors are continuing to compromise the network
security of both the public and the private sectors at an
alarming rate. From nation-states like Russian, China, Iran,
and North Korea and criminal organizations, our systems are
regularly attacked, and the Federal Government must be more
effectively and more efficient in anticipating these threats
and do a better job of protecting itself and the vast troves of
sensitive information on its networks.
According to law, DHS is required to provide intrusion
detection and prevention capabilities to Federal agencies and
to work with the Office of Management and Budget to administer
the implementation of agency information security policies and
practices. The Department must include advanced network
security tools in its efforts to continuously diagnose and
mitigate cybersecurity risks.
Additionally, DHS has the authority to issue binding
operational directives to Federal agencies in order to
safeguard Federal information and information systems. The
Department's perimeter defense capabilities, known as EINSTEIN,
have progressed from monitoring to detection to actual
prevention capabilities.
A pilot is under way to examine detection technologies
beyond signature-based detection, as required by the
Cybersecurity Act of 2015. While questions about the time line
of full deployment of the Continuing Diagnostics and Mitigation
program, or CDM, phases loom, breaking down initial barriers to
provide agencies with real-time situational awareness and risk-
based accountable information is imperative to our Federal
cybersecurity efforts.
I look forward to hearing from our witnesses today about
the current status of these programs and how they will provide
greater security for Federal information technology systems,
when they are fully deployed.
In today's ever-changing cyber threat landscape, we need to
ensure that these programs are agile enough to keep pace with
the cybersecurity needs of our Federal agencies.
We need to ensure that DHS is properly leveraging private-
sector innovation and is able to quickly adopt cutting-edge
technologies. We need to ensure that there is a comprehensive
strategy in place, not only to engage every Executive branch
agency and Department, but also to ensure coordinated
deployment.
The Federal Government requires the American people to
submit sensitive information to its care, private financial
information to the IRS, personal medical records to Medicare or
to the VA. We often adopt a trust-us approach, but if we
require that, then I firmly believe we must take serious steps
to demonstrate our trustworthiness with that information.
I look forward to a productive conversation with this
distinguished panel of witnesses. Working together, we can
continue to strengthen DHS's cyber capabilities to secure our
Federal networks.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
March 28, 2017
I see cybersecurity as one of the pre-eminent domestic and National
security policy challenges of our generation, and as the Chairman of
the Cybersecurity and Infrastructure Protection Subcommittee I feel
especially grateful for the opportunity to work with the other Members
on this panel to have a direct impact the cybersecurity posture of our
country. It's a duty we do not take lightly.
Oftentimes when the American people hear about committees
performing oversight, there's a misguided perception that we're simply
performing a routine check-up, taking the temperature if you will, and
then moving on.
That mindset is not what compels us to meet here today.
Today's oversight is one of committed, on-going engagement.
Securing Federal networks is--and rightfully should be--one of the
central priorities of this subcommittee, of this Congress, and for the
American people. While today's hearing represents a small, public
facing sliver of this engagement, my commitment to all stakeholders
impacted by this important issue is that our continued efforts to
improve the security of Federal networks will be conducted in a manner
that fully recognizes the seriousness of the threats posed by our cyber
adversaries. And while the stakes are indeed high, this subcommittee is
uniquely positioned to be part of the solution.
After all, the Department of Homeland Security is required, by law,
to play a vital and central role in the Federal Government's policies,
procedures, and operations for the cybersecurity of our Federal
agencies.
Specifically, DHS is entrusted with carrying out important
legislative authorities established in the Cybersecurity Act of 2015
and Federal Information Security Modernization Act of 2014.
Ensuring the effective execution of the Department's cybersecurity
initiatives has never been more important than it is today. Just last
week, the committee heard from a panel of experts about the evolving
cyber threat landscape. Retired General Keith Alexander noted, ``Our
increasing reliance on digital, connected devices means that while
tanks, bombers, and fighter jets are certainly not obsolete, there are
newer and perhaps more insidious ways of having similar effects without
the need for the large investment that those assets require.''
Bad actors continue to compromise the network security of both the
public and private sectors at an increasingly alarming rate. From
nation-states like Russia, China, Iran, and North Korea and criminal
organizations our systems are regularly attacked and the Federal
Government must more effectively and efficiently anticipate these
threats and do a better job protecting itself and the vast troves of
sensitive information on its networks.
According to law, DHS is required to provide intrusion detection
and prevention capabilities to Federal agencies and work with the
Office of Management and Budget to administer the implementation of
agency information security policies and practices. The Department must
include advanced network security tools in its efforts to continuously
diagnose and mitigate cybersecurity risks. Additionally, DHS has the
authority to issue Binding Operational Directives to Federal agencies
in order to safeguard Federal information and information systems.
The Department's perimeter defense capabilities, known as Einstein,
have progressed from monitoring, to detection, to actual prevention
capabilities. A pilot is under way to examine detection technologies
beyond signature-based detection, as required in the Cybersecurity Act
of 2015. And, while questions about the time line for full deployment
of Continuous Diagnostics and Mitigation Program--or CDM--phases loom,
breaking down the initial barriers to provide agencies with real-time
situational awareness and risk-based accountable information is
imperative to our Federal cybersecurity efforts.
I look forward to hearing from our witnesses today about the
current status of these programs and how they will provide greater
security for Federal information technology systems when fully
deployed.
In today's ever-changing cyber threat landscape we need to ensure
that these programs are agile enough to keep pace with the
cybersecurity needs of Federal agencies. We need to ensure DHS is
properly leveraging private-sector innovation and is able to quickly
adopt cutting-edge technologies. We need to ensure that there is a
comprehensive strategy in place, not only to engage every Executive
branch agency and Department but also to ensure coordinated deployment.
The Federal Government requires the American people to submit
sensitive information to its care--private financial information to the
IRS, personal medical records to Medicare or the VA. We often adopt a
``trust-us'' approach. But if we require that, then I firmly believe we
must take serious steps to demonstrate our trustworthiness.
I look forward to a productive conversation with our distinguished
panel of witnesses. Working together we can continue to strengthen
DHS's cyber capabilities to secure Federal networks.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of our subcommittee, the gentleman from
Louisiana, Mr. Richmond, for his opening statement.
Mr. Richmond. Thank you Mr. Chairman. Thank you to the
Chairman of the full committee and the Ranking Member of the
full committee for being here.
I want to begin by thanking you for holding this hearing on
one of our Nation's most pressing homeland security challenges,
and that is securing the dot-gov domain.
Americans rely on Federal agencies to safeguard some of our
most sensitive National data, from health records and Social
Security numbers, to intelligence and information on our troop
movements. This information may be exposed or exploited by
something as simple as a careless employee or a failure to
patch a known vulnerability.
This information can just as easily be taken or altered by
criminal networks and, as we discussed last week in this
committee, state-sponsored hackers. The Russian attacks this
past year on our democratic processes and political
institutions are a salient reminder of the damage state
adversaries, like Russia, can inflict.
Just last year, the GAO surveyed agencies with high-impact
systems, those that hold information so sensitive that a breach
could cause catastrophic harm to individuals, the Government,
or the Nation. The survey showed that cyber attacks from state
actors represented the most serious and frequent threat these
agencies faced.
This same team of GAO analysis, one of whom we have with us
today, revealed that from 2006 to 2015, the number of cyber
attacks on Federal agencies went from about 5,500 per year to
77,000. That is a 1,300 percent increase.
We also know that our Government networks have not only
been targeted, they have also been infiltrated. Successful
cyber attacks have been carried out against the Office of
Personnel Management, the Internal Revenue Service, and the
Departments of State, Defense, Veteran Affairs, and Health and
Human Services, just to name a few.
To be clear, there is no one-size-fits-all or a silver
bullet for securing Federal networks. That said, there are some
positive signs that current efforts may be having an impact.
A recent report from the Office of Management and Budget
shows that over the last year the number of cyber attacks on
the United States Government networks have gone down, not up,
for the first time in a decade.
I am also interested to hear from DHS and GAO on the extent
to which this downward trend may be attributable, at least in
part, to greater adoption of the EINSTEIN program by Federal
agencies.
I also look forward to hearing from this panel about how
DHS is working with its Federal partners to deliver
cybersecurity services that are valuable, affordable, and
effective.
With that, Mr. Chairman, I yield back.
[The statement of Ranking Member Richmond follows:]
Statement of Ranking Member Cedric Richmond
March 28, 2017
Americans rely on Federal agencies to safeguard some of our most
sensitive National data--from health records and Social Security
Numbers to intelligence and information on troop movements.
This information may be exposed or exploited by something as simple
as a careless employee or a failure to patch a known vulnerability.
This information can just as easily be taken or altered by criminal
networks and--as we discussed last week in this committee--state-
sponsored hackers.
The Russian attacks this past year on our democratic processes and
political institutions are a salient reminder of the damage state
adversaries like Russia can inflict.
Just last year, GAO surveyed agencies with ``high-impact''
systems--those that hold information so sensitive that a breach could
cause catastrophic harm to individuals, the Government, or the Nation.
The survey showed that cyber attacks from state actors represented the
most serious and frequent threat these agencies faced.
This same team of GAO analysts, one of whom we have with us today,
revealed that from 2006 to 2015, the number of cyber attacks on Federal
agencies went from about 5,500 per year to over 77,000--a 1,300%
increase.
We also know that our Government networks have not only been
targeted, they have also been infiltrated.
Successful cyber attacks have been carried out against the Office
of Personnel Management, the Internal Revenue Service, and the
Departments of State, Defense, Veterans Affairs, and Health and Human
Services, to name just a few.
To be clear, there is no one-size-fits-all, ``silver bullet'' for
securing Federal networks.
That said, there are some positive signs that current efforts may
be having an impact. A recent report from the Office of Management and
Budget shows that, over the last year, the number of cyber attacks on
U.S. Government networks has gone down--not up--for the first time in a
decade.
I am also interested to hear from DHS and GAO on the extent to
which this downward trend may be attributable, at least in part, to
greater adoption of the EINSTEIN program by Federal agencies.
I look forward to hearing from this panel about how DHS is working
with its Federal partners to deliver cybersecurity services that are
valuable, affordable, and effective.
Mr. Ratcliffe. Thank the gentleman.
The Chair now recognizes the Chairman of our full
committee, my colleague from Texas, Mr. McCaul, for an opening
statement.
Chairman McCaul. Thank you, Mr. Chairman and Ranking
Member. I want to thank the subcommittee for the good work that
you have been doing, not only last Congress, but I know we have
a lot of work to do in this Congress. I look forward to that.
Just last week, our committee heard from top former cyber
and National security officials, including General Keith
Alexander, that we must rise to the challenge in combatting
growing cyber risk, and that we must up our game on our
defense. We heard about the wide range of cyber threats we face
from nation-states, hacktivists, and criminals.
Russia meddled in the 2016 Presidential election and
Russian intelligence agents were indicted in the massive breach
of Yahoo. North Korea attacked Sony Pictures. Iran hit the
financial sector.
China continues to be one of the Nation's top cybersecurity
threats. As we all remember in 2015, Chinese hackers stole 20
million security clearances, including my own, and many in this
room, in a breach at the Office of Personnel Management.
Recently, the alleged hack of the CIA has WikiLeaks
publishing over 8,000 pages of documents with some of the most
highly sensitive cyber weapons.
These blinking red alarms are the reason we are here today.
We need to ensure that our Federal departments and agencies are
properly defended from attacks. We do not have time to wait.
Over the last several years, I have championed a number of
bills out of this committee that put DHS in the lead for
operational control and to operationally secure the dot-gov
domain, helping to better protect critical infrastructure,
hiring cyber talent at MPPD, being the hub for the cyber threat
information sharing and providing voluntary assistance to the
private sector.
In late 2015, the Cybersecurity Act became law, and
included language authorizing DHS to deploy intrusion detection
and prevention capabilities and to support its continuous
diagnostics and mitigation endeavors across the Federal
civilian enterprise.
This law requires Federal agencies to utilize the intrusion
detection and prevention capabilities. At the end of last year,
the Department announced it was providing cybersecurity
services to 93 percent of the Executive branch's civilian work
force.
But perimeter detection is only one part of what needs to
be a larger part and more holistic defense-in-depth strategy
and architecture. DHS must adopt an entire suite of tools and
technologies while ensuring its capabilities are keeping up
with the evolving cyber threats that we discussed at last
week's hearing.
As I mentioned last week, this committee will be moving
legislation soon to create a stronger, consolidated
cybersecurity agency at the Department of Homeland Security.
This proposal will elevate the cybersecurity mission at DHS
at a critical time and further enhance cyber operations,
including those to more effectively secure Federal networks.
This will help step up our cyber defense efforts and attract
top talent, as we have already begun to work with DHS and
others to make that a reality.
So I want to thank the Chair and Ranking Member for holding
this hearing. I look forward to seeing the testimony. With
that, I yield back.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
March 28, 2017
I look forward to hearing from our witnesses today on this
essential aspect of the DHS cybersecurity mission, protecting our
Federal civilian networks.
Just last week, our Committee heard from top former cyber and
National security officials, including General Keith Alexander, that we
must rise to the challenge in combating growing cyber risks and that we
must up our game on defense.
We heard about the wide range of cyber threats we face from nation-
states, hacktivists, and criminals.
Russia meddled in the 2016 Presidential election and Russian
intelligence agents were indicted in the massive breach of Yahoo.
North Korea attacked Sony pictures.
Iran hit the financial sector.
China continues to be one of the Nation's top cybersecurity threats
and, as we all remember, in 2015, Chinese hackers stole 20 million
security clearances--including my own--in a breach of the Office of
Personnel Management.
And, recently, the alleged hack of the CIA has Wikileaks publishing
over 8,000 pages of documents with some of the most highly sensitive
cyber weapons.
These blinking red alarms are the reason we are here today. We need
to ensure that our Federal departments and agencies are properly
defended from attacks; we do NOT have time to wait.
Over the last several years, I have championed a number of bills
that put DHS in the lead for operationally securing the ``dot-gov''
domain, helping to better protect critical infrastructure, hiring cyber
talent at NPPD, being the hub for cyber threat information sharing, and
providing voluntary assistance to the private sector.
In late 2015, the Cybersecurity Act became law and included
language authorizing DHS to deploy intrusion detection and prevention
capabilities and to support its continuous diagnostics and mitigation
endeavors across the Federal civilian enterprise.
The law requires Federal agencies to utilize the intrusion
detection and prevention capabilities and at the end of last year, the
Department announced it was providing cybersecurity services to 93
percent of the Executive branch's civilian workforce.
But perimeter detection is only one part of what needs to be a
larger and more holistic defense-in-depth strategy and architecture.
DHS must adopt an entire suite of tools and technologies while
ensuring its capabilities are keeping up with the evolving cyber
threats that we discussed at last week's cyber threat hearing.
As I mentioned last week, this committee will be moving legislation
soon to create a stronger, consolidated cybersecurity agency at the
Department of Homeland Security. This proposal will elevate the
cybersecurity mission at DHS and further enhance cyber operations,
including those to more effectively secure Federal networks.
This will help us step up our cyber defense efforts and attract top
talent.
And we have already begun to work with DHS and others to make that
a reality.
Today, I hope to hear from DHS about how it is working to protect
our Federal departments and agencies from these sophisticated cyber
threats and what more assistance may be needed. As I'm sure everyone
here can agree, we cannot afford another OPM-style breach, we must
better ensure our Nation's most sensitive information is protected
without any delay.
Mr. Ratcliffe. Thank you, Chairman.
The Chair now recognizes the Ranking Minority Member of the
full committee, the gentleman from Mississippi, Mr. Thompson
for his opening statement.
Mr. Thompson. Thank you very much, Mr. Chairman. I welcome
a suite of witnesses here today, and I look forward to their
testimony.
Cyber attacks against Federal networks and the Nation have
been increasing in frequency in recent years with high-profile
breaches of Federal systems at the White House, State
Department, Veteran Affairs, and the Office of Personnel
Management.
These breaches, many of which are believed to be carried
out at the direction of state actors, have called into question
the ability of the Federal Government to adequately secure its
data and network.
For instance, there was a massive OPM breach that occurred
2 years ago. In that attack, the personnel records of at least
22 million people were stolen.
These records included very sensitive and personal
information about not just Federal employees and contractors,
but also about their families and friends. Hackers believed to
be working for the Chinese government carried out this
malicious attack.
Last week, the committee heard from National security
experts about the growing and gathering threat posed by State
actors, most notably China, Iran, North Korea, and Russia.
I was struck, however, by the testimony of Dr. Frank
Cilluffo, from the George Washington University, who
characterized the threats posed by these countries in the
following way. ``Russia is the most capable. China is very
active in computer network export or espionage activity. And
North Korea and Iran are the most likely to turn to computer
networks attacks to damage our systems.''
With respect to Russia, the threat posed by Vladimir Putin
has become a kitchen table topic. Americans want to know more
about the cyber hacking and influence operation that Putin
directed against our democracy in the lead-up to the 2016
elections.
They also want to know if there are any collusion between
U.S. person and Russian operatives, to carry out what FBI
Director James Comey has called a ``successful operation.''
These are not minor or trivial concerns. The Russians, as
Director Comey has determined, are proud to have sown doubt
about the nature of our democratic process and because they
were successful, he warned that they will be back.
Mr. Chairman, I was pleased to hear you acknowledge at last
week's hearing, that these actions by Russia were an invasion
of the privacy of citizens and that they undermined our
democratic institution and elections.
Given that the House Intelligence Committee's bipartisan
inquiry seems to be unraveling at the hands of its Chairman,
now is the time for Members of Congress, regardless of party,
to stand together in support of a nonpartisan commission, one
akin to the
9/11 Commission.
Turning back to the witnesses before us today, I look
forward to hearing from the panel on how DHS is progressing in
its Federal cybersecurity role and what more can be done within
DHS and across the Federal Government to better mitigate,
respond to, and recover from attacks on Federal information
systems.
With that, Mr. Chairman, I yield back.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
March 28, 2017
Cyber attacks against Federal networks and the Nation have been
increasing in frequency in recent years, with high-profile breaches of
Federal systems at the White House, State Department, Veterans Affairs,
and the Office of Personnel Management (OPM).
These breaches, many of which are believed to be carried out at the
direction of state actors, have called into question the ability of the
Federal Government to adequately secure its data and networks.
For instance, there was the massive OPM breach that occurred 2
years ago. In that attack, the personnel records of at least 22 million
people were stolen. These records included very sensitive and personal
information about not just Federal employees and contractors but also
about their families and friends. Hackers believed to be working for
the Chinese government carried out this malicious attack.
Last week, the committee heard from National security experts about
the growing and gathering threat posed by state actors--most notably
China, Iran, North Korea, and Russia. I was struck by the testimony of
Dr. Frank Cilluffo from the George Washington University who
characterized the threats posed by these countries in the following
way--``Russia is the most capable, China is very active in computer
network exploit or espionage activity,'' and North Korea and Iran are
the most likely ``to turn to computer network attacks'' to damage our
systems.
With respect to Russia, the threat posed by Vladmir Putin has
become a ``kitchen table'' topic. Americans want to know more about the
cyber hacking and influence operation that Putin directed against our
democracy in the lead up to the 2016 election.
They also want to know if there was any collusion between U.S.
persons and Russian operatives to carry out what FBI Director James
Comey has called a ``successful'' operation. These are not minor or
trivial concerns. The Russians, as Director Comey has determined, are
proud to have ``sowed doubt about the nature of our democratic
process'' and because they were successful, he warned that ``they'll be
back.''
Mr. Chairman, I was pleased to hear you acknowledge at last week's
hearing that these actions by Russia were an invasion of the privacy of
citizens and that they undermined our democratic institutions and
elections.
Given that the House Intelligence Committee's bipartisan inquiry
seems to be unraveling at the hands of its Chairman, now is the time
for Members of Congress-- regardless of party--to stand together in
support of a non-partisan commission, one akin to the 9/11 commission.
Turning back to the witnesses before us today, I look forward to
hearing from the panel on how DHS is progressing in its Federal
cybersecurity role and what more can be done within DHS and across the
Federal Government to better mitigate, respond to, and recover from
attacks on Federal information systems.
Mr. Ratcliffe. Thank the gentleman. Other Members of the
committee are reminded that opening statements may be submitted
for the record.
[The statement of Honorable Jackson Lee follows:]
Statement of Honorable Sheila Jackson Lee
March 28, 2017
Chairman Ratcliffe and Ranking Member Richmond, thank you for
convening this opportunity for the Homeland Security Committee
Subcommittee on Cybersecurity & Infrastructure Protection to review
``The Current State of DHS's Efforts to Secure Federal Networks.''
Today's hearing will give Members of the Committee an opportunity
to hear from individuals inside of the Department of Homeland Security
(DHS), the Government Accountability Office; the Congressional Research
Service.
I thank today's witnesses:
Jeanette Manfra, Deputy Under Secretary for Cybersecurity
and Communications (Acting), National Programs & Protection
Directorate, Department of Homeland Security;
Gregory Wilshusen, Director, Information Security Issues,
Government Accountability Office; and
Chris Jaikaran, Cybersecurity Analyst, Congressional
Research Service (Democratic Witness).
Today's hearing will also give Members an opportunity learn more
about DHS's work to create a common security baseline across Federal
civilian agencies.
This hearing will also provide an update on the operating an
intrusion prevention and detection service known as EINSTEIN, which is
designed to insulate Federal networks from attacks and gather threat
intelligence.
In the first few weeks of this Congress, I introduced a number of
measures on the topic of cybersecurity to address gaps in our Nation's
cyber defensive posture:
CAPITALS Act--H.R. 54--legislation seeking a report on the
feasibility of developing a DHS Civilian Cyber Defense National
Resource to protect our Nation's critical infrastructure in the
event of a terrorist cyber attack;
SCOUTS Act--H.R. 940--a bill to secure public utilities from
terrorist threats;
SAFETI Act--H.R. 950--directs the Secretary of DHS to
provide a report on the agency's response to the Russian attack
against our Nation's election system;
Terrorism Prevention and Critical Infrastructure--H.R. 945;
and
The Cybersecurity and Federal Workforce Enhancement Act--
H.R. 935.
CAPITALS Act--H.R. 54, directs that the Department of Homeland
Security (DHS) must report to Congress regarding the feasibility of
establishing a DHS Civilian Cyber Defense National Resource.
The report provided by the CAPITALS Act will address:
the number of persons who would be needed to defend the
critical infrastructure of the United States from a cyber
attack or man-made intentional or unintentional catastrophic
incident;
elements of DHS that would be best equipped to recruit,
train, and manage such a resource;
resources that could be pre-positioned and training that
could be instilled to assure responsiveness if an incident
disrupts communications in a region or area;
the impact of potential recruits' lack of experience in
military, intelligence, law enforcement, or Government work
experience;
logistics of allowing Governors to make requests of DHS to
use such a resource in States during times of cyber emergency;
and
whether a resource trained to defend U.S. networks in a
major attack or natural or man-made disaster will benefit
overall efforts to defend the interests of the United States.
H.R. 940, the ``Securing Communications of Utilities from Terrorist
Threats'' or the ``SCOUTS Act,'' directs the Secretary of Homeland
Security, in coordination with the sector-specific agencies, to work
with critical infrastructure owners and operators and State, local,
Tribal, and territorial entities to seek voluntary participation in a
dialogue with DHS on how the agency can best assist Critical
Infrastructure's defense against and recover from terrorist attacks.
H.R. 950, requires a report and assessment regarding Department of
Homeland Security's response to terrorist threats to Federal elections.
The Comptroller General of the United States is directed to conduct an
assessment of the effectiveness of Department of Homeland Security
actions to protect election systems from cyber attacks and to make
recommendations for improvements to the actions taken by DHS if
determined appropriate.
H.R. 935, The ``Cybersecurity and Federal Workforce Enhancement
Act'' identifies and trains people already in the workforce who can
obtain the skills to address our Nation's deficit in the number of
workers and positions available for those with needed skills.
On June 4, 2015, Office of Personnel Management announced that it
would be notifying over 4 million current and former Federal employees
of a data breach thought to be committed by Chinese hackers.
OPM officials said that the hacking exposed employee's job
assignments, performance, and training.
It was later disclosed that the hackers also gained access to
``background or clearance investigations'' data.
In February 2016, it was reported in the Hill that personal
information on 9,000 DHS employees was published on-line.
The information posted on the internet includes names, job titles,
email addresses, and phone numbers of employees.
The hacker said they obtained the data by ``compromising the email
account'' of an employee in the Department of Justice.
The security of civil agency networks should be of the greatest
concern following what we know was an extensive intrusion into public,
and private computing networks last year in Russia's efforts to
undermine our Nation's democratic process.
In 2016, it was reported that the Election Assistance Commission,
the agency responsible for certifying the security of voting machines
reportedly fell victim to what is believed to have been a Russian
hacker.
The Security firm ``Recorded Future'' reported that it discovered
EAC employees' computer access information for sale on the internet
black market.
In February 2016, the IRS revealed it discovered and stopped an
automated cyber attack on its e-filing personal identification number
(PIN) system.
The IRS reported that cyber criminals used information stolen from
another source to generate 101,000 e-file PINs from taxpayers' stolen
Social Security numbers (SSNs).
E-file PINs are used by some taxpayers to electronically file their
tax returns--it is worth noting the difficulty the IRS has seen in the
past with thieves filing taxes and receiving tax payments due to
taxpayers.
The number and severity of data breaches has only grown over the
last few years.
We can and we must do better at protecting civilian agencies and
their data assets from compromise.
I am pleased at the progress being made with Majority and Minority
committee staff, along with my staff in finalizing the Prevent Zero Day
Events Act, which I plan to introduce.
The Prevent Zero Day Events Act will help DHS in working with
Federal agencies in developing strategies for detecting Zero Day
events, which are software or firmware vulnerabilities that have gone
undetected, but if exploited by a terrorist, would posed a significant
threat to the ability of agencies to function.
I look forward to your testimony and the testimony of the second
panel for today's hearing.
Thank you.
Mr. Ratcliffe. We are pleased to have a very distinguished
panel of witnesses before us today on this most important
topic.
Ms. Jeanette Manfra is the acting deputy under secretary
for cybersecurity in the Department of Homeland Security.
Welcome.
Mr. Greg Wilshusen is the director for information security
issues for the U.S. Government Accountability Office. Good to
see you again, Mr. Wilshusen.
Mr. Chris Jaikaran is an analyst for the cybersecurity
policy for the Congressional Research Service. Welcome.
I would now ask all of you to stand and raise your right
hand so I can swear you in to testify.
[Witnesses sworn.]
Let the record reflect that each witness has answered in
the affirmative. You may be seated. The witnesses' full written
statements will appear in the record.
The Chair now recognizes Ms. Manfra for 5 minutes for her
opening statement.
STATEMENT OF JEANETTE MANFRA, ACTING DEPUTY UNDER SECRETARY FOR
CYBERSECURITY, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE,
U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Thank you, sir. Chairman Ratcliffe, Ranking
Member Richmond, Chairman McCaul, Ranking Member Thompson, and
Members of the committee, thank you for today's opportunity to
discuss DHS's efforts to secure Federal networks.
Cybersecurity remains one of the most significant risks
facing the United States. Working with Congress, we have
focused on a range of actions to confront this evolving
challenge.
By law, Federal agencies have responsibility for their own
cybersecurity. Our goal is to protect agencies against
cybersecurity incidents and to help each agency effectively
safeguard their own systems and networks.
We achieve these goals in four ways: No. 1, by providing a
baseline of security for civilian agencies through the National
Cybersecurity Protection System, or NCPS, and the Continuous
Diagnostics and Mitigation Program; No. 2, by conducting risk
assessments and directing agency action as needed; No. 3, by
serving as an information-sharing hub; and No. 4, by providing
incident response assistance.
Our first focus area is identifying, prioritizing, and
enabling mitigation of cybersecurity threats facing civilian
agencies through NCPS, of which EINSTEIN is the principal
component.
Recognizing the importance of EINSTEIN, Congress mandated
that all civilian agencies fully implement the system,
resulting in an increase in EINSTEIN 3 Accelerated coverage
from 38 percent to 93 percent over the past year. We are
working with the remaining civilian agencies to facilitate full
participation.
We recognize that many sophisticated adversaries cannot be
blocked by signatures of known threats. NCPS is a platform and
EINSTEIN is only a first step. Moving forward, we are pursuing
three lines of effort.
First, increasing the number of known cyber threat
indicators available. Second, deploying reputation scoring to
help Government agencies prioritize specific indicators based
upon the likely severity of the treat. Third, piloting an
advanced analytics capability to identify anomalous activity
that could be a previously-unknown threat.
Effective cybersecurity must address threats. But agencies
must also identify and fix known vulnerabilities. Through the
Continuous Diagnostics and Mitigation, or CDM program, DHS
provides Federal civilian agencies with tools to gain
visibility, often for the first time, into the extent of
cybersecurity risk across their entire network and prioritize
identified issues.
DHS also conducts risk assessments, based upon a
standardized methodology and informed by an understanding of
relevant threats.
In fiscal year 2017, we are continuing to focus on the most
critical systems. DHS leveraged the authority from the
Cybersecurity Act of 2015 to issue a binding operational
directive, mandating that agencies participate in our high-
value asset assessment process and fix identified
vulnerabilities within 30 days.
Cybersecurity threats are constantly changing as our
adversaries implement new tactics, techniques, and procedures.
Recognizing this fact, Congress established our NCCIC as a
civilian hub for cyber threat indicators and defensive
measures, with Federal and non-Federal entities.
As required by the Cybersecurity Act of 2015, we automated
the sharing of our cyber-threat indicators, while protecting
privacy and civil liberties.
Persistent adversaries will find ways to infiltrate
networks. When an incident occurs, our NCCIC offers assistance
to find the adversary, drive them out, restore critical
services, and improve security moving forward.
In closing, while we have made progress, we must do more to
confront the continually-evolving threats facing our Nation.
This commitment to do more is at the core of the pending DHS
cybersecurity strategy. This administration is committed to
making significant investments in cybersecurity and modernizing
our Federal IT infrastructure.
In the fiscal year 2018 budget blueprint, the President
requested $1.5 billion for DHS to safeguard cyber space. The
Department views the IT modernization effort as an opportunity
to review the current approach to Federal network security and
potentially make generational advances in the capabilities we
offer.
We must also ensure that DHS is appropriately organized to
address cybersecurity threats. We appreciate the Chairman of
the committee's leadership in working to reauthorize the
Department.
As the committee considers these issues, we are committed
to working with Congress to ensure a homeland that is more
safe, secure, and resilient.
Thank you for the opportunity to testify, and I look
forward to any questions you may have.
[The prepared statement of Ms. Manfra follows:]
Prepared Statement of Jeanette Manfra
March 28, 2017
introduction
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, thank you for the opportunity to appear before you today.
Cybersecurity remains one of the most significant strategic risks to
the United States. The past several years have seen a steady drumbeat
of cybersecurity compromises affecting the Federal Government, State
and local governments, and the private sector. Working with Congress,
we have focused on a range of actions to confront this evolving
challenge. By bringing together all levels of government, the private
sector, international partners, and the public, we are taking action to
protect against cybersecurity risks, improve our whole-of-Government
incident response capabilities, enhance sharing of information on best
practices and cyber threats, and strengthen resilience. The Department
of Homeland Security (DHS), through the National Protection and
Programs Directorate (NPPD), leads the Federal Government's efforts to
secure our Nation's critical infrastructure and protect Federal
civilian networks from malicious cyber activity.
Over the past few years, the Federal Government has made
significant progress in improving agency cybersecurity, establishing a
common baseline of protection, and codifying roles and responsibilities
to effectively manage cybersecurity risks and incidents. Through
engagements with State, local, Tribal, and territorial (SLLT)
governments, and the private sector, we have provided technical
assistance upon request and expanded information-sharing capabilities
to improve situational awareness of threats, vulnerabilities,
incidents, mitigation, and recovery actions. Today, I will discuss the
roles of NPPD in protecting the Federal civilian Executive branch
networks.
Under the Federal Information Security Modernization Act of 2014
(FISMA), agencies have primary responsibility for their own
cybersecurity, the Office of Management and Budget (OMB) generally
develops and oversees agency implementation of information security
policies and practices, and DHS administers the implementation of those
policies and practices. As part of securing their own systems, agencies
must comply with OMB policies, DHS directives, and National Institute
of Standards and Technology (NIST) standards and guidelines. DHS,
pursuant to its various authorities, provides a common set of security
tools across the civilian Executive branch and helps agencies manage
their cyber risk. NPPD's assistance to agencies includes: (1) Providing
tools to safeguard civilian Executive branch networks through the
National Cybersecurity Protection System (NCPS), which includes
EINSTEIN, and Continuous Diagnostics and Mitigation (CDM) programs, (2)
measuring and motivating agencies to implement policies, directives,
standards, and guidelines, (3) serving as a hub for information sharing
and incident reporting, and (4) providing operational and technical
assistance, including threat information dissemination and risk and
vulnerability assessments, as well as incident response services. DHS's
National Cybersecurity and Communications Integration Center (NCCIC) is
the civilian government's hub for cybersecurity information sharing,
asset incident response, and coordination.
EINSTEIN
EINSTEIN refers to the suite of intrusion detection and prevention
capabilities that protects agencies' Unclassified networks at the
perimeter of each agency. EINSTEIN provides situational awareness of
civilian Executive branch network traffic, so threats detected at one
agency are shared with all others providing agencies with information
and capabilities to more effectively manage their cyber risk. The U.S.
Government could not achieve such situational awareness through
individual agency efforts alone.
The first two phases of EINSTEIN--EINSTEIN 1 and 2--allow DHS to
identify potentially malicious activity and to conduct critical
analysis after an incident occurs, as well as to detect known malicious
traffic. In 2015, DHS estimated these capabilities screened over 90
percent of all Federal civilian internet traffic. On a typical day,
EINSTEIN 2 intrusion detection sensors generate approximately 30,000
alerts about potential malicious cyber activity. These alerts are
evaluated by DHS cybersecurity analysts to determine whether the alert
represents an active threat and potential compromise, and if further
mitigation or remediation is needed.
EINSTEIN 3 Accelerated (EINSTEIN 3A) is the intrusion prevention
capability, which blocks known malicious traffic. Intrusion prevention
is provided as a service by internet service providers (ISPs) serving
the Federal Government. The initial implementation of EINSTEIN 3A
involves two intrusion prevention security services by the ISPs: domain
name server (DNS) sinkholing and email filtering. DHS is working with
the ISPs to add further protections. EINSTEIN 1 and 2 use only
Unclassified cyber threat indicators, while EINSTEIN 3A uses
Unclassified and Classified indicators. These signature-based
capabilities use indicators of compromise to detect and block known
malicious traffic.
In the Cybersecurity Act of 2015, Congress directed each Executive
branch civilian agency to apply available EINSTEIN protections to all
information traveling to or from an agency information system by
December 18, 2016. Agencies have made significant progress in
implementing available EINSTEIN protections. Prior to passage of the
Act, EINSTEIN 3A covered approximately 38 percent of Federal civilian
users. Today, EINSTEIN 3A is protecting a significant percentage of the
Executive branch civilian workforce at the 23 largest agencies and most
agencies have at least one of its two intrusion prevention
capabilities. DHS continues to work with all remaining Federal civilian
agencies to facilitate their full participation in EINSTEIN. At the
same time, our NCPS program is also developing new capabilities and
conducting a strategic review of the program architecture that will
provide even more protections for Federal agencies.
Today, EINSTEIN is a signature-based intrusion detection and
prevention capability that takes action on known malicious activity.
Leveraging existing investments in the ISP infrastructure, our non-
signature-based pilot efforts to move beyond current reliance on
signatures are yielding positive results in the discovery of
previously-unidentified malicious activity. DHS is demonstrating the
ability to capture data that can be rapidly analyzed for anomalous
activity using technologies from commercial, Government, and open
sources. The pilot efforts are also defining the future operational
needs for tactics, techniques, and procedures as well as the skill sets
and personnel required to operationalize the non-signature based
approach to cybersecurity.
SLTT governments are able to access intrusion detection and
analysis services through the Multi-State Information Sharing and
Analysis Center (MS-ISAC). MS-ISAC's service, called Albert, closely
resembles EINSTEIN 2. While the current version of Albert cannot
actively block known cyber threats, it can alert cybersecurity
officials to an issue for further investigation. DHS worked closely
with MS-ISAC to develop the program and considers MS-ISAC to be the
principal conduit for sharing cybersecurity information with State
governments.
Continuous Diagnostics and Mitigation (CDM)
EINSTEIN, our tool to address perimeter security will not block
every threat; therefore, it must be complemented with systems and tools
working inside agency networks--as effective cybersecurity risk
management requires a defense-in-depth strategy that cannot be achieved
through only one type of tool. CDM provides cybersecurity tools and
integration services to all participating agencies to enable them to
improve their respective security postures by reducing the attack
surface of their networks as well as providing DHS with enterprise-wide
visibility through a common Federal dashboard. CDM is divided into four
phases:
CDM Phase 1 identifies all computers and software on agency
networks and checks for known vulnerabilities.
CDM Phase 2 allows agencies to better manage identities,
accounts, and privileges for the people and services using
their networks.
CDM Phase 3 will assess activity happening on agencies'
networks to identify anomalies and alert security personnel.
CDM Phase 4 will protect sensitive and high-value data
within agency networks.
Significant progress has been made in the deployment of CDM. DHS
has assessed the needs of the Executive branch civilian agencies and
has completed the purchasing of most CDM Phase 1 tools. Agencies are
now installing the tools across their networks, including six agencies
that have fully deployed all Phase 1 tools as well as the agency
dashboards, which give network administrators visibility into the
current state of their networks to better identify and prioritize areas
of cyber risk. DHS has also awarded two CDM Phase 2 contracts, focusing
on strong authentication for administrative users as well as general
users, making the associated tools available to all participating
agencies.
This summer, CDM will begin supplementing the existing CDM agency
dashboards by introducing the Federal CDM Dashboard, which will provide
the National Cybersecurity and Communications Integration Center
(NCCIC) with greater insight into the Federal enterprise cybersecurity
posture. The summary data available at the Federal level presents a
view of the relative risk and network health across the Federal
Government to inform policy decisions and operational guidance, provide
timely reporting for addressing critical issues affecting multiple
agencies, and enable cost-effective and efficient FISMA reporting.
CDM will help us achieve two major advances for Federal
cybersecurity. First, agencies will have visibility, often for the
first time, into the extent of cybersecurity risks across their entire
network and gain the ability to prioritize identified issues based upon
their relative importance. Second, the NCCIC will be able to identify
systemic risks across the civilian Executive branch. An example is
illustrative. Currently, when a vendor announces a major vulnerability,
the NCCIC tracks Government-wide progress in implementing critical
patches via agency self-reporting and manual data calls. CDM will allow
the NCCIC to immediately view the prevalence of a given device or
software type across the Federal Government so that the NCCIC can
provide agencies with timely guidance on their risk exposure. Effective
cybersecurity requires a robust measurement regime, and robust
measurement requires valid and timely data. CDM will provide this
baseline of cybersecurity risk data to drive improvement across the
civilian Executive branch.
CDM tools are currently available through blanket purchase
agreement negotiated by the General Services Administration on DHS's
behalf. This agreement leverages the Government-wide volume to provide
the best value and cost savings to the Federal Government. For example,
by grouping agency requirements in Phases 1 and 2, we have saved the
Federal Government millions of dollars on product purchases. Many SLTT
governments are also able to purchase tools from this purchase
agreement. By purchasing commercial CDM tools, SLTT governments can
take advantage of bulk purchasing cost savings and invest those savings
in their own cybersecurity resilience.
Measuring and Motivating Agencies to Improve Cybersecurity
DHS conducts a number of activities to measure agencies'
cybersecurity practices and work with agencies to improve risk
management practices.
The Cybersecurity Framework, is voluntary guidance, based on
existing standards, guidelines, and practices to help organizations
better manage and reduce cybersecurity risk and was developed by NIST
through collaboration with diverse parts of industry, academia, and
Government, including DHS. DHS promotes the use of NIST standards,
guidelines, minimum information security requirements, including the
Cybersecurity Framework.
FISMA provided the Secretary of Homeland Security with the
authority to develop and oversee implementation of binding operational
directives to agencies. In 2016, the Secretary issued a binding
operational directive on securing high-value assets (HVA), or those
assets, Federal information systems, information, and data for which
unauthorized access, use, disclosure, disruption, modification, or
destruction could cause a significant impact to the United States'
National security interests, foreign relations, economy, or to the
public confidence, civil liberties, or public health and safety of the
American people. DHS works with several interagency partners to
prioritize HVAs for assessment and remediation activities across the
Federal Government. For instance, DHS conducts security architecture
reviews on these HVAs to help agencies assess their network
architecture and configurations.
As part of the effort to secure HVAs, DHS conducts in-depth
vulnerability assessments of prioritized agency HVAs to determine how
an adversary could penetrate a system, move around an agency's network
to access sensitive data, and exfiltrate such data without being
detected. These assessments include services such as penetration
testing, wireless security analysis, and ``phishing'' evaluations in
which DHS hackers send emails to agency personnel and test whether
recipients click on potentially malicious links. DHS has focused these
assessments on Federal systems that may be of particular interest to
adversaries or support uniquely significant data or services. These
assessments provide system owners with recommendations to address
identified vulnerabilities. DHS provides these same assessments, on a
voluntary basis upon request, to private sector and SLTT partners. DHS
also works with GSA to ensure our industry partners can provide
assessments that align with our HVA initiative to agencies, if
necessary.
Another binding operational directive issued by the Secretary
directs civilian agencies to promptly patch known vulnerabilities on
their Internet-facing devices. The NCCIC conducts Cyber Hygiene scans
to identify vulnerabilities in agencies' internet-accessible devices
and provides mitigation recommendations. Agencies have responded
quickly in implementing the Secretary's binding operational directive
and have sustained this progress. When the Secretary issued this
directive, NPPD identified over 360 ``stale'' critical vulnerabilities
across Federal civilian agencies. By ``stale'' I mean the
vulnerabilities had been known for at least 30 days and were still not
patched. Since December 2015, DHS has identified an average of less
than 40 critical vulnerabilities at any given time, and agencies have
addressed those vulnerabilities rapidly once they were identified.
By conducting vulnerability assessments and security architecture
reviews, DHS is helping agencies find and fix vulnerabilities, and
secure their networks before an incident occurs.
Information Sharing
By sharing information quickly and widely, we help all partners
block cyber threats before damaging incidents occur. Equally important,
the information we receive from other partners helps us understand
emerging risks and develop effective protective measures.
Congress authorized the NCCIC as the civilian hub for sharing cyber
threat indicators and defensive measures with and among Federal and
non-Federal entities, including the private sector. As required by the
Cybersecurity Act of 2015, we established a capability, known as
Automated Indicator Sharing (AIS), to automate our sharing of cyber
threat indicators in real-time. AIS protects the privacy and civil
liberties of individuals by narrowly tailoring the information shared
to that which is necessary to characterize identified cyber threats,
consistent with long-standing DHS policy and the requirements of the
Act. AIS is a part of the Department's effort to create an ecosystem in
which as soon as a company or Federal agency observes an attempted
compromise, the indicator is shared in real time with all of our
partners, enabling them to protect themselves from that particular
threat. This real-time sharing limits the scalability of any attack
techniques, which increases the costs for adversaries and should reduce
the impact of malicious cyber activity. An ecosystem built around
automated sharing and network defense should enable organizations to
enhance their defenses against the most common cyber attacks, freeing
their cybersecurity staff to concentrate on the novel and sophisticated
attacks. Over 129 agencies and private-sector partners have connected
to DHS's AIS capability. Notably, partners such as information sharing
and analysis organizations (ISAOs) and computer emergency response
teams further share with or protect their customers and stakeholders,
significantly expanding the impact of this capability. AIS is still a
new capability and we expect the volume of threat indicators shared
through this system to substantially increase as the technical
standards, software, and hardware supporting the system continue to be
refined and put into full production. As more indictors are shared from
other Federal agencies, SLTT governments, and the private sector, this
information-sharing environment will become more robust and effective.
Another part of the Department's overall information-sharing effort
is to provide Federal network defenders with the necessary context
regarding cyber threats to prioritize their efforts and inform their
decision making. DHS's Office of Intelligence and Analysis (I&A) is
continuously assessing the specific threats to Federal networks using
traditional all source methods and indicators of malicious activity
observed by NCCIC sensors so that the NCCIC can share with Federal
network defenders in collaboration with I&A. I&A personnel sit on the
NCCIC watch floor.
Incident Response
Cybersecurity is about risk management, and we cannot eliminate all
risk. Partners that implement best practices and share information will
increase the cost for malicious actors and stop many threats. But
ultimately, persistent adversaries will find ways to infiltrate
networks in both Government and the private sector. In fiscal year
2016, the NCCIC received reports of 30,899 impactful incidents across
the eight attack vectors at Federal agencies, according to the FISMA
Annual Report to Congress. When an incident does occur, the NCCIC
offers assistance upon request to find the adversary, drive them out,
and restore service.
conclusion
At all levels, the Federal Government continues to be targeted by a
wide range of malicious cyber actors attempting to gain access to
sensitive systems. We have made significant progress over the past
year: We have provided a baseline of CDM Phase 1 tools, we have
expanded the coverage of EINSTEIN 3A, we have expanded risk and
vulnerability assessments, we have operationalized the automated
indicator-sharing capability, and we have established a useful
architecture for coordinating the Federal Government's response to
significant cyber incidents. But there is more to be done. This
administration will make significant investments in cybersecurity. In
the recently-released budget blueprint, the President requested $1.5
billion for DHS to safeguard cyber space by protecting Federal networks
and critical infrastructure from an attack. Through a suite of advanced
cybersecurity tools and more assertive defense of Government networks,
NPPD would share more cybersecurity incident information with other
Federal agencies and the private sector, leading to faster responses to
cybersecurity attacks.
We must also ensure that DHS is appropriately organized to address
today's and tomorrow's cybersecurity threats, and we appreciate the
Chairman of the Committee's leadership in working to reauthorize the
Department. As the committee considers these issues, we are committed
to working with Congress to ensure that this effort is done in a way
that ensures a homeland that is more safe, secure, and resilient.
Mr. Ratcliffe. Thank you, Ms. Manfra.
The Chair now recognizes Mr. Wilshusen for 5 minutes for
his opening statement.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Ratcliffe, Ranking Member Richmond,
Ranking Member Thompson, and Members of the subcommittee, thank
you for the opportunity to discuss DHS's efforts to secure
Federal computer networks. As recent cyber attacks have
illustrated, the need for robust and effective cybersecurity
has never been greater.
Today, I will focus on two of the Department's programs:
The National Cybersecurity Protection System, also known as
EINSTEIN, which is an intrusion detection and prevention
system, and the Continuous Diagnostics and Mitigation Program.
But before I do, if I may, I would like to recognize
members of my team who were instrumental in developing my
statement and performing the work under PENIA. With me today is
Mike Gilmore and Kush Malhotra. In addition, Jeff Knott, Angela
Watson, Nancy Glover, and Scott Pettis also made significant
contributions to the work.
Mr. Chairman, as you know, several Federal laws establish
key Government-wide roles for DHS with securing Federal
information systems. Consistent with these laws, DHS is leading
the EINSTEIN and CDM programs to assist Federal agencies in
protecting their computer networks and systems. Our work has
highlighted the need for advances with these programs.
In January 2016, we reported that EINSTEIN was limited in
its ability to detect malicious network activity because it
could only match against known patterns of malicious data or
signatures.
It was unable to detect intrusions for which it did not
have a valid or enabled signature deployed because it did not
provide for anomaly-based intrusion detection capability. Such
a capability involves comparing current network activity
against pre-defined baselines of normal network behavior to
identify deviations which could indicate malicious activity.
EINSTEIN was also unable to detect exploits across all
types of network traffic because it was not monitoring or had
not deployed signatures related to certain types of network
traffic. As a result, it would not have detected known
malicious data embedded in such traffic.
In addition, DHS's process for notifying agencies of
detected malicious activity was not always effective, with
disagreement among DHS and the five agencies we reviewed about
the number of incident notifications sent and received and
their usefulness.
We made nine recommendations to DHS for expanding or
enhancing EINSTEIN's capabilities, including those for
detecting and preventing malicious traffic, notifying agencies
of potential incidents, and developing guidance for routing
network traffic through EINSTEIN's sensors. The Department
concurred with each of our recommendations and has stated that
it has taken or is taking actions to implement them.
The tools and services delivered through DHS's CDM program
are intended to provide agencies with the capability to
automate network monitoring, correlate and analyze security-
relevant information, and enhanced risk-based decision making
at both the agency and Government-wide levels.
In May 2016, GAO reported that most of the 17 agencies we
surveyed responded that they were in the early stages of CDM
implementation. For example, 14 agencies reported that they had
deployed products to monitor or scan hardware and software
inventories, configuration settings, and common
vulnerabilities. But only two had completed installation of
dashboards at the agency or component level.
We believe that the use of tools and of capabilities
available under the CDM program, if effectively implemented by
agencies, can help them to identify and resolve cybersecurity
vulnerabilities in a prioritized and risk-based manner.
In conclusion, EINSTEIN and CDM offer the prospect of
important advances in the security over Federal systems.
Enhancing EINSTEIN's capabilities and greater adoption by
agencies will help DHS achieve the full benefit of the system.
An effective implementation of CDM functionality by Federal
agencies could better position them to protect their
information technology resources from evolving and pernicious
threats.
Chairman Ratcliffe, Ranking Member Richmond, and Ranking
Member Thompson, Members of the subcommittee, this concludes my
statement. I would be happy to answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen
March 28, 2017
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee: Thank you for the opportunity to appear before you to
discuss the Department of Homeland Security's (DHS) efforts to secure
Federal computer networks. As recent cyber attacks have illustrated,
the need for robust and effective cybersecurity has never been greater.
Today, I will provide an overview of our work related to efforts by
DHS to improve the cybersecurity posture of the Federal Government. In
particular, I will focus on two of the Department's initiatives: The
National Cybersecurity Protection System (NCPS), operationally known as
EINSTEIN, and the Continuous Diagnostics and Mitigation (CDM) program.
In developing this testimony, we relied on our previous reports \1\
as well as information provided by the Department on its actions in
response to our previous recommendations. A more detailed discussion of
the objectives, scope, and methodology for this work is included in
each of the reports that are cited throughout this statement.
---------------------------------------------------------------------------
\1\ GAO, Information Security: DHS Needs to Enhance Capabilities,
Improve Planning, and Support Greater Adoption of Its National
Cybersecurity Protection System, GAO-16-294 (Washington, DC: Jan. 28,
2016); Information Security: Agencies Need to Improve Controls over
Selected High-Impact Systems, GAO-16-501 (Washington, DC: May 18,
2016); Information Security: FDA Needs to Rectify Control Weaknesses
That Place Industry and Public Health Data at Risk, GAO-16-513
(Washington, DC: Aug. 30, 2016); Information Security: Opportunities
Exist for SEC to Improve Its Controls over Financial Systems and Data,
GAO-16-493 (Washington, DC: Apr. 28, 2016); Information Security: IRS
Needs to Further Improve Controls Over Financial and Taxpayer Data,
GAO-16-398 (Washington, DC: Mar. 28, 2016); Healthcare.gov: Actions
Needed to Enhance Information Security and Privacy Controls, GAO-16-265
(Washington, DC: Mar. 23, 2016); Federal Information Security: Agencies
Need to Correct Weaknesses and Fully Implement Security Programs, GAO-
15-714 (Washington, DC: Sept. 29, 2015); Information Security: FAA
Needs to Address Weaknesses in Air Traffic Control Systems, GAO-15-221
(Washington, DC: Jan. 29, 2015); and Information Security: VA Needs to
Address Identified Vulnerabilities, GAO-15-117 (Washington, DC: Nov.
13, 2014).
---------------------------------------------------------------------------
The work on which this statement is based was conducted in
accordance with generally accepted Government auditing standards. Those
standards require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
background
Federal agencies are dependent on computerized (cyber) information
systems and electronic data to carry out operations and to process,
maintain, and report essential information. The security of these
systems and data is vital to public confidence and the Nation's safety,
prosperity, and well-being. Virtually all Federal operations are
supported by computer systems and electronic data, and agencies would
find it difficult, if not impossible, to carry out their missions and
account for their resources without these information assets. Hence,
ineffective security controls to protect these systems and data could
have a significant impact on a broad array of Government operations and
assets.
Computer networks and systems used by Federal agencies are often
riddled with security vulnerabilities--both known and unknown. These
systems are often interconnected with other internal and external
systems and networks, including the internet, thereby increasing the
number of avenues of attack and expanding their attack surface.
In addition, cyber threats to systems supporting the Federal
Government are evolving and becoming more sophisticated. These threats
come from a variety of sources and vary in terms of the types and
capabilities of the actors, their willingness to act, and their
motives. For example, foreign nations--where adversaries possess
sophisticated levels of expertise and significant resources to pursue
their objectives--pose increasing risks.
Safeguarding Federal computer systems has been a long-standing
concern. This year marks the 20th anniversary of when GAO first
designated information security as a Government-wide high-risk area in
1997.\2\ We expanded this high-risk area to include safeguarding the
systems supporting our Nation's critical infrastructure in 2003 and
protecting the privacy of personally identifiable information in
2015.\3\
---------------------------------------------------------------------------
\2\ GAO designates agencies and program areas as high-risk due to
their vulnerability to fraud, waste, abuse, and mismanagement, or when
they are most in need of transformation.
\3\ See GAO, High-Risk Series: Progress on Many High-Risk Areas,
While Substantial Efforts Needed on Others, GAO-17-317 (Washington, DC:
Feb. 15, 2017).
---------------------------------------------------------------------------
Over the last several years, GAO has made about 2,500
recommendations to agencies aimed at improving the security of Federal
systems and information. These recommendations identified actions for
agencies to take to strengthen their information security programs and
technical controls over their computer networks and systems. Many
agencies continue to be challenged in safeguarding their information
systems and information, in part because many of these recommendations
have not been implemented. As of February 2017, about 1,000 of our
information security-related recommendations had not been implemented.
Our audits of the effectiveness of information security programs
and controls at Federal agencies have consistently shown that agencies
are challenged in securing their information systems and information.
In particular, agencies have been challenged in the following
activities:
Enhancing capabilities to effectively identify cyber threats
to agency systems and information.--A key activity for
assessing cybersecurity risk and selecting appropriate
mitigating controls is the identification of cyber threats to
computer networks, systems, and information. In 2016, we
reported on several factors that agencies identified as
impairing their ability to identify these threats to a great or
moderate extent. The impairments included an inability to
recruit and retain personnel with the appropriate skills,
rapidly-changing threats, continuous changes in technology, and
a lack of Government-wide information-sharing mechanisms.\4\ We
believe that addressing these impairments will enhance the
ability of agencies to identify the threats to their systems
and information and be in a better position to select and
implement appropriate countermeasures.
---------------------------------------------------------------------------
\4\ GAO, Information Security: Agencies Need to Improve Controls
Over Selected High-Impact Systems, GAO-16-501 (Washington, DC: May 18,
2016).
---------------------------------------------------------------------------
Implementing sustainable processes for securely configuring
operating systems, applications, workstations, servers, and
network devices.--In our reports, we routinely determine that
agencies do not enable key information security capabilities of
their operating systems, applications, workstations, servers,
and network devices. Agencies were not always aware of the
insecure settings that introduced risk to the computing
environment. We believe that establishing strong configuration
standards and implementing sustainable processes for monitoring
and enabling configuration settings will strengthen the
security posture of Federal agencies.
Patching vulnerable systems and replacing unsupported
software.--Federal agencies we have reviewed consistently fail
to apply critical security patches on their systems in a timely
manner, sometimes doing so years after the patch becomes
available. We have consistently identified instances where
agencies use software that is no longer supported by their
vendors. These shortcomings place agency systems and
information at significant risk of compromise, since many
successful cyber attacks exploit known vulnerabilities
associated with software products. We believe that using
vendor-supported and patched software will help to reduce this
risk.
Developing comprehensive security test and evaluation
procedures and conducting examinations on a regular and
recurring basis.--Federal agencies we have reviewed often do
not test or evaluate their information security controls in a
comprehensive manner. The agency evaluations we reviewed were
sometimes based on interviews and document reviews (rather than
in-depth security evaluations), were limited in scope, and did
not identify many of the security vulnerabilities that our
examinations identified. We believe that conducting in-depth
security evaluations that examine the effectiveness of security
processes and technical controls is essential for effectively
identifying system vulnerabilities that place agency systems
and information at risk.
Federal Laws Provide a Framework for Securing Agencies' Information and
Systems
The Federal Information Security Modernization Act of 2014
(FISMA)\5\ provides a comprehensive framework for ensuring the
effectiveness of information security controls over information
resources that support Federal operations and assets and for ensuring
the effective oversight of information security risks, including those
throughout civilian, National security, and law enforcement agencies.
The law requires each agency to develop, document, and implement an
agency-wide information security program to provide risk-based
protections for the information and information systems that support
the operations and assets of the agency.
---------------------------------------------------------------------------
\5\ The Federal Information Security Modernization Act of 2014
(FISMA 2014) (Pub. L. No. 113-283, Dec. 18, 2014) largely superseded
the Federal Information Security Management Act of 2002 (FISMA 2002),
enacted as Title III of the E-Government Act of 2002 (Pub. L. No. 107-
347, Dec. 17, 2002). As used here, FISMA refers both to FISMA 2014 and
those provisions of FISMA 2002 that were either incorporated into FISMA
2014 or were unchanged and continue in full force and effect.
---------------------------------------------------------------------------
FISMA also establishes key Government-wide roles for DHS.
Specifically, with certain exceptions, DHS is to administer the
implementation of agency information security policies and practices
for information systems including:
monitoring agency implementation of information security
policies and practices;
providing operational and technical guidance to agencies;
operating a central Federal information security incident
center; and
deploying technology upon request to assist the agency to
continuously diagnose and mitigate cyber threats and
vulnerabilities.
In addition, the Cybersecurity Act of 2015 requires DHS to deploy,
operate, and maintain for use by any Federal agency, a capability to:
(1) Detect cybersecurity risks in network traffic transiting to or from
agency information systems and (2) prevent network traffic with such
risks from traveling to or from an agency information system or modify
the traffic to remove the cybersecurity risk.\6\
---------------------------------------------------------------------------
\6\ Div. N, sec. 223, Pub. L. No. 114-113 (Dec. 18, 2015); 129
Stat. 2935, 2964; 6 U.S.C. Sec. 151.
---------------------------------------------------------------------------
advancing dhs initiatives could improve the cybersecurity posture of
the federal government
In implementing Federal law for securing agencies' information and
systems, DHS is spearheading several initiatives to assist Federal
agencies in protecting their computer networks and electronic
information. These include NCPS, CDM, and other services. However, our
work has highlighted the need for advances within these initiatives.
NCPS Capabilities and Adoption Could Be Improved
Operated by DHS's United States Computer Emergency Readiness Team
(US-CERT),\7\ NCPS is intended to detect and prevent cyber intrusions
into agency networks, analyze network data for trends and anomalous
data, and share information with agencies on cyber threats and
incidents. Deployed in stages, NCPS, operationally known as EINSTEIN,
has provided increasing capabilities to detect and prevent potential
cyber attacks involving the network traffic entering or exiting the
networks of participating Federal agencies. Table 1 provides an
overview of the EINSTEIN deployment stages to date.
---------------------------------------------------------------------------
\7\ Within DHS, US-CERT is a component of the National
Cybersecurity and Communications Integration Center. It serves as the
central Federal information security incident center specified by
FISMA.
TABLE 1.--OVERVIEW OF THE NATIONAL CYBERSECURITY PROTECTION SYSTEM (NCPS) DEPLOYMENT
----------------------------------------------------------------------------------------------------------------
Deployment
Operational Name Year NCPS Objective Description
----------------------------------------------------------------------------------------------------------------
EINSTEIN 1............................. 2003 Intrusion detection...... Provides an automated process
for collecting, correlating,
and analyzing agencies'
computer network traffic
information from sensors
installed at their internet
connections.\1\
EINSTEIN 2............................. 2009 Intrusion detection...... Monitors Federal agency
internet connections for
specific predefined signatures
of known malicious activity
and alerts US-CERT when
specific network activity
matching the predetermined
signatures is detected.\2\
EINSTEIN 3............................. 2013 Intrusion detection...... Automatically blocks malicious
Accelerated............................ Intrusion prevention...... traffic from entering or
leaving Federal civilian
agency networks. This
capability is managed by
internet service providers,
who administer intrusion
prevention and threat-based
decision making using DHS-
developed indicators of
malicious cyber activity to
develop signatures.\3\
----------------------------------------------------------------------------------------------------------------
Source: GAO analysis of Department of Homeland Security data. GAO-17-518T
\1\ The network traffic information includes source and destination internet protocol addresses used in the
communication, source and destination ports, the time the communication occurred, and the protocol used to
communicate.
\2\ Signatures are recognizable, distinguishing patterns associated with cyber attacks, such as a binary string
associated with a computer virus or a particular set of keystrokes used to gain unauthorized access to a
system.
\3\ An indicator is defined by DHS as human-readable cyber data used to identify some form of malicious cyber
activity. These data may be related to internet protocol addresses, domains, e-mail headers, files, and
character strings. Indicators can be either Classified or Unclassified.
The overarching objectives of NCPS are to provide functionality
that supports intrusion detection, intrusion prevention, analytics, and
information sharing.\8\ However, in January 2016, we reported that NCPS
had partially, but not fully, met these objectives:\9\
---------------------------------------------------------------------------
\8\ The National Institute of Standards and Technology (NIST)
describes intrusion detection as the process of monitoring the events
occurring in a computer system or network and analyzing them for signs
of intrusions, defined as attempts to bypass the security mechanisms of
a computer or network or to compromise the confidentiality, integrity,
and availability of the information they contain. Intrusion prevention
is the process of performing intrusion detection and attempting to stop
detected possible incidents. Analytics is the synthesis of knowledge
from the collection, preparation, and analysis of data. Information
sharing is the process of exchanging of cyber threat and incident data.
\9\ GAO-16-294.
---------------------------------------------------------------------------
Intrusion detection.--NCPS provided DHS with a limited
ability to detect potentially malicious activity entering and
exiting computer networks at Federal agencies. Specifically,
NCPS compared network traffic to known patterns of malicious
data, or ``signatures,'' but did not detect deviations from
pre-defined baselines of normal network behavior. In addition,
NCPS did not monitor several types of network traffic and
therefore would not have detected malicious traffic embedded in
such traffic. NCPS also did not examine traffic for certain
common vulnerabilities and exposures that cyber threat
adversaries could have attempted to exploit during intrusion
attempts.
Intrusion prevention.--The capability of NCPS to prevent
intrusions was limited to the types of network traffic it
monitored. For example, the intrusion prevention function
monitored and blocked e-mail determined to be malicious.
However, it did not monitor malicious content within web
traffic, although DHS planned to deliver this capability in
2016.
Analytics.--NCPS supported a variety of data analytical
tools, including a centralized platform for aggregating data
and a capability for analyzing the characteristics of malicious
code. However, DHS had not developed planned capabilities to
facilitate near real-time analysis of various data streams,
perform advanced malware behavioral analysis, and conduct
forensic analysis in a more collaborative way. DHS planned to
develop and implement these enhancements through 2018.
Information sharing.--DHS had yet to develop most of the
planned functionality for NCPS's information-sharing
capability, and requirements had only recently been approved at
the time of our review. Agencies and DHS also did not always
agree about whether notifications of potentially malicious
activity had been sent or received, and agencies had mixed
views about the usefulness of these notifications. Further, DHS
did not always solicit--and agencies did not always provide--
feedback on them.
In addition, while DHS had developed metrics for measuring the
performance of NCPS, the metrics did not gauge the quality, accuracy,
or effectiveness of the system's intrusion detection and prevention
capabilities. As a result, DHS was unable to describe the value
provided by NCPS.
To enhance the functionality of NCPS, we made six recommendations
to DHS, which if implemented, could help the agency to expand the
capability of NCPS to detect cyber intrusions, notify customers of
potential incidents, and track the quality, efficiency, and accuracy of
supporting actions related to detecting and preventing intrusions,
providing analytic services, and sharing cyber-related information. DHS
concurred with the recommendations. In February 2017 when we followed
up on the status of the recommendations, DHS officials stated that they
have implemented 2 of the recommendations and initiated actions to
address the other 4 recommendations. We are in the process of
evaluating DHS's actions for the two implemented recommendations.
In January 2016, we also reported that Federal agencies had adopted
NCPS to varying degrees. Specifically, the 23 civilian agencies covered
by the Chief Financial Officers (CFO) Act\10\ that were required to
implement the intrusion detection capabilities had routed some traffic
to NCPS intrusion detection sensors. However, as of January 2016, only
5 of the 23 agencies were receiving intrusion prevention services, due
to certain policy and implementation challenges. For example, officials
stated that the ability to meet DHS security requirements to use the
intrusion prevention capabilities varied from agency to agency.
Further, agencies had not taken all the technical steps needed to
implement the system, such as ensuring that all network traffic was
being routed through NCPS sensors. This occurred in part because DHS
had not provided network routing guidance to agencies. As a result, it
had limited assurance regarding the effectiveness of the system.
---------------------------------------------------------------------------
\10\ 31 U.S.C. 901(b).
---------------------------------------------------------------------------
We recommended that DHS work with Federal agencies and the internet
service providers to document secure routing requirements in order to
better ensure the complete, safe, and effective routing of information
to NCPS sensors. DHS concurred with the recommendation. When we
followed up with DHS on the status of the recommendations, DHS
officials said that nearly all of the agencies covered by the CFO Act
are receiving at least one of the intrusion prevention services, as of
March 2017. Further, the officials stated that DHS has collaborated
with the Office of Management and Budget (OMB) to develop new guidance
for agencies on perimeter security capabilities as well as alternative
routing strategies. We will evaluate the network routing guidance when
DHS finalizes and implements it.
Effective Implementation of the CDM Program Could Improve Information
Security at Agencies
The CDM program provides Federal agencies with tools and services
that are intended to provide them with the capability to automate
network monitoring, correlate and analyze security-related information,
and enhance risk-based decision making at agency and Government-wide
levels. These tools include sensors that perform automated scans or
searches for known cyber vulnerabilities, the results of which can feed
into a dashboard that alerts network managers and enables the agency to
allocate resources based on the risk.
DHS, in partnership with and through the General Services
Administration, established a Government-wide acquisition vehicle for
acquiring continuous diagnostics and mitigation capabilities and tools.
The CDM blanket purchase agreement is available to Federal, State,
local, and Tribal government entities for acquiring these capabilities.
There are three phases of CDM implementation:
Phase 1.--This phase involves deploying products to automate
hardware and software asset management, configuration settings, and
common vulnerability management capabilities. According to the
Cybersecurity Strategy and Implementation Plan, DHS purchased Phase 1
tools and integration services for all participating agencies in fiscal
year 2015.
Phase 2.--This phase intends to address privilege management and
infrastructure integrity by allowing agencies to monitor users on their
networks and to detect whether users are engaging in unauthorized
activity. According to the Cybersecurity Strategy and Implementation
Plan, DHS was to provide agencies with additional Phase 2 capabilities
throughout fiscal year 2016, with the full suite of CDM phase 2
capabilities delivered by the end of that fiscal year.
Phase 3.--According to DHS, this phase is intended to address
boundary protection and event management for managing the security life
cycle. It focuses on detecting unusual activity inside agency networks
and alerting security personnel. The agency planned to provide 97
percent of Federal agencies the services they need for CDM Phase 3 in
fiscal year 2017.
As we reported in May 2016,\11\ most of the 18 agencies covered by
the CFO Act that had high-impact systems \12\ were in the early stages
of CDM implementation. All 17 of the civilian agencies \13\ that we
surveyed indicated they had developed their own strategy for
information security continuous monitoring. Additionally, according to
survey responses, 14 of the 17 had deployed products to automate
hardware and software asset configuration settings and common
vulnerability management. Further, more than half of the agencies noted
that they had leveraged products/tools provided through the General
Services Administration's acquisition vehicle. However, only 2 of the
17 agencies reported that they had completed installation of agency and
bureau/component-level dashboards and monitored attributes of
authorized users operating in their agency's computing environment.
Agencies also noted that expediting the implementation of CDM phases
could be of benefit to them in further protecting their high-impact
systems.
---------------------------------------------------------------------------
\11\ GAO, Information Security: Agencies Need to Improve Controls
Over Selected High-Impact Systems, GAO-16-501 (Washington, DC: May 18,
2016). We surveyed the 18 agencies covered by the Chief Financial
Officers (CFO) Act that reported having high-impact systems on a
variety of information security-related issues including their
implementation of Government-wide security initiatives such as the CDM
program.
\12\ High-impact systems are those where the loss of the
confidentiality, integrity, or availability of the information or
information system could be expected to have a severe or catastrophic
adverse effect on organizations operations, assets, or personnel. For
example, it might cause the organization to be unable to perform one or
more of its primary functions or result in a major financial loss. Of
the 24 CFO Act agencies, 18 reported having high-impact systems at the
time of our review.
\13\ The Department of Defense, one of the 18 agencies with high-
impact systems, is not required to participate in the CDM program.
---------------------------------------------------------------------------
The effective implementation of the CDM tools and capabilities can
assist agencies in overcoming the challenges we have identified that
they face when securing their information systems and information. As
noted earlier, our audits often identify insecure configurations,
unpatched or unsupported software, and other vulnerabilities in agency
systems. We believe that the tools and capabilities available under the
CDM program, when effectively used by agencies, can help them to
diagnose and mitigate vulnerabilities to their systems. By continuing
to make these tools and capabilities available to Federal agencies, DHS
can also have additional assurance that agencies are better-positioned
to protect their information systems and information.
Other DHS Services Are Available to Help Protect Systems, but Are Not
Always Used by Agencies
DHS provides other services that could help agencies protect their
information systems. Such services include, but are not limited to:
US-CERT monthly operational bulletins are intended to
provide senior Federal Government information security
officials and staff with actionable information to improve
their organization's cybersecurity posture based on incidents
observed, reported, or acted on by DHS and US-CERT.
CyberStat reviews are in-depth sessions with National
Security Staff, OMB, DHS, and an agency to discuss that
agency's cybersecurity posture and opportunities for
collaboration. According to OMB, these interviews are face-to-
face, evidence-based meetings intended to ensure agencies are
accountable for their cybersecurity posture. The sessions are
to assist the agencies in developing focused strategies for
improving their information security posture in areas where
there are challenges.
DHS Red and Blue Team exercises are intended to provide
services to agencies for testing their systems with regard to
potential attacks. A Red Team emulates a potential adversary's
attack or exploitation capabilities against an agency's
cybersecurity posture. The Blue Team defends an agency's
information systems when the Red Team attacks, typically as
part of an operational exercise conducted according to rules
established and monitored by a neutral group.
In May 2016, we reported that although participation varied among
the 18 agencies we surveyed, most of those that chose to participate
generally found these services to be useful in aiding the cybersecurity
protection of their high-impact systems.\14\ Specifically,
---------------------------------------------------------------------------
\14\ See GAO-16-501.
---------------------------------------------------------------------------
15 of 18 agencies participated in US-CERT monthly
operational bulletins, and most found the service very or
somewhat useful.
All 18 agencies participated in the CyberStat reviews, and
most found the service very or somewhat useful.
9 of 18 agencies participated in DHS's Red/Blue team
exercises, and most found the exercises to be very or somewhat
useful.
Half of the agencies in our survey reported that they wanted an
expansion of Federal initiatives and services to help protect their
high-impact systems. For example, agencies noted that expediting the
implementation of CDM phases, sharing threat intelligence information,
and sharing attack vectors, could be of benefit to them in further
protecting their high-impact systems. We believe that by continuing to
make these services available to agencies, DHS will be better able to
assist agencies in strengthening the security of their information
systems.
In conclusion, DHS is leading several programs that can benefit
Federal efforts to secure agency information systems and information.
Two such programs, NCPS and CDM, offer the prospect of important
advances in the security over Federal systems. Enhancing NCPS's
capabilities and greater adoption by agencies will help DHS achieve the
full benefit of the system. Effective implementation of CDM
functionality by Federal agencies could better position them to protect
their information technology resources from evolving and pernicious
threats.
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee, this concludes my statement. I would be happy to respond
to your questions.
Mr. Ratcliffe. Thank you, Mr. Wilshusen, and thanks to your
team members for their work, as you recognized.
The Chair now recognizes Mr. Jaikaran--did I say that
right--for 5 minutes for his opening statement.
STATEMENT OF CHRIS A. JAIKARAN, ANALYST, CYBERSECURITY POLICY,
CONGRESSIONAL RESEARCH SERVICE, LIBRARY OF CONGRESS
Mr. Jaikaran. Chairman Ratcliffe, Ranking Member Richmond,
Ranking Member Thompson, and Members of the committee, thank
you for the opportunity to testify on the current state of
DHS's efforts to secure Federal networks. My name is Chris
Jaikaran, and I am an analyst in cybersecurity policy at the
Congressional Research Service.
In this role, I research and analyze cybersecurity issues
and their policy implications. I have provided a written
statement and will summarize that testimony with some brief
remarks.
My testimony today will address the legislation that
Congress recently passed, the roles and responsibilities
assigned by those pieces of legislation, and the policy
outcomes from those pieces of legislation.
During the 113th and 114th Congresses, three pieces of
legislation were enacted to change how Federal network security
is managed: The Federal Information Security Modernization Act
of 2014, or FISMA, the National Cybersecurity Protection Act of
2014, and the Cybersecurity Act of 2015.
My written testimony briefly summarizes the effect of this
group of legislation on Federal network security without
addressing other cybersecurity concerns, such as the effects on
the private sector.
To take an organizational view, these laws establish
certain roles and responsibilities among Federal entities for
the security of the dot-gov domain. It may be helpful to think
of OMB as the strategic, DHS as the operational, and individual
agencies as the tactical.
OMB, exercising its oversight of agency budgets, oversees
agency adoption of cybersecurity practices and ensures that
agencies adopt a cybersecurity posture commensurate to their
risk.
DHS oversees agency adoption of cybersecurity programs,
provides tools to protect agency networks, and coordinates
Government-wide efforts on Federal cybersecurity.
Individual agencies ensure that risks are effectively
managed in their own agency, with cybersecurity being one such
risk. In accordance with provisions in FISMA as amended, agency
heads shall ensure that the responsibility for cybersecurity is
delegated to a senior official, frequently a chief information
security officer.
The 113th Congress marked a shift in legislative policy
concerning Federal cybersecurity. Prior to the 113th Congress,
cybersecurity risks were one of many risks that an agency head
was statutorily required to manage. In managing these
cybersecurity risks, their collective risk management equated
to the security of the dot-gov domain.
DHS, OMB, and NIST provided programs, information, tools,
and guidance to assist agencies in managing that risk, to
include FISMA guidance and EINSTEIN. However, it was incumbent
upon the agency head to accept those tools and implement that
guidance.
With the legislation enacted in the 113th and 114th
Congresses, Congress further updated the law to reflect that
risk exists not just at the agency level, but across the entire
Federal Government.
Federal agencies face risk, not just for the information
that agency possesses or the work that agency performs, but
because that agency is an element of the Federal Government
itself.
The clarification of DHS's role in mitigating risk to all
Federal civilian agencies is the operationalization of that
change.
By consolidating these responsibilities at DHS, the intent
is for DHS to monitor risk to the dot-gov domain and to take
action to mitigate that risk, to detect malicious activity at
one agency and prevent or mitigate that activity at another
agency before it can become disruptive, a sort-of herd
protection for civilian agencies.
This construct is also intended to free up agency resources
to focus on mitigating the unique cybersecurity risks against
agency networks and against agency information technology
systems. This distinction between Federal enterprise and the
agencies' enterprise appears to be continuing in the new
administration.
Early indications from the administration officials signal
that the position of the administration is to manage risks to
the Federal enterprise as a single entity, rather than as
distributed risk across all agencies.
Shifting some additional cybersecurity actions from
individual agencies to a single entity responsible for the
security of all agencies is intended to allow those agencies to
focus their resources on executing their respective missions.
Binding operational directives are an example of the policy
shift enacted with this group of legislation. These directives
are issued by DHS and require an agency to take some action in
order to protect the agency's information technology.
This is a unique relationship, wherein one cabinet-level
agency can direct another to take action. In this case, expend
the agency's resources for the purposes of managing risk to
that agency or the Federal Government, but not risk to DHS.
This concludes my brief remarks. Thank you for the
opportunity to testify, and I look forward to your questions.
[The prepared statement of Mr. Jaikaran follows:]
Prepared Statement of Chris Jaikaran
March 28, 2017
introduction
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
committee, thank you for the opportunity to testify on the current
state of efforts by the Department of Homeland Security (DHS) to secure
Federal networks. My name is Chris Jaikaran and I am an analyst in
Cybersecurity Policy at the Congressional Research Service. In this
role, I research and analyze cybersecurity issues and their policy
implications.
My testimony today will address legislation recently passed by
Congress, the roles and responsibilities assigned by those pieces of
legislation, and the potential impact of that legislation on Federal
network security.
legislation
During the 113th and the 114th Congresses, three pieces of
legislation were enacted that changed how Federal network security is
managed. The testimony below briefly summarizes the effect of the
legislation on Federal network security without addressing other
cybersecurity concerns, such as effects on the private sector.
Federal Information Security Modernization Act of 2014
The Federal Information Security Modernization Act of 2014 (FISMA)
was enacted during the 113th Congress and codified the existing role
the Department of Homeland Security (DHS) was already performing
securing Federal networks.\1\ FISMA authorized DHS to assist OMB in
developing and implementing agency information security programs,
coordinating with agencies on cybersecurity, and providing assistance
to agencies in achieving cybersecurity. The law also authorized DHS to
issue binding operational directives, which are discussed later in this
statement.
---------------------------------------------------------------------------
\1\ Pub. L. 113-283.
---------------------------------------------------------------------------
OMB is required to submit an annual report to Congress on the
performance of agencies in implementing FISMA. The report for fiscal
year 2016 was released on March 10, 2017, and like previous reports, is
available to the public on-line. Agencies are also required report to
their appropriate committees on their FISMA performance, but those
reports are not made publically available.
National Cybersecurity Protection Act
The National Cybersecurity Protection Act of 2014 (NCPA),
statutorily authorized the National Cybersecurity and Communications
Integration Center (NCCIC) within DHS.\2\ Enacted during the 113th
Congress, this law established the NCCIC as the interface between the
civilian Federal Government and non-Federal entities for information
sharing, risk analysis, and mitigation strategies related to
cybersecurity. The law also permits DHS to provide technical assistance
to both Federal and non-Federal entities to support risk management and
incident response, conditional upon the request of that entity.
---------------------------------------------------------------------------
\2\ Pub. L. 113-282.
---------------------------------------------------------------------------
Cyber Security Act of 2015
The Consolidated Appropriations Act of 2015 was the vehicle for the
Cybersecurity Act of 2015. Enacted by the 114th Congress, this law
contains four separate titles, the first of which is the Cybersecurity
Information Sharing Act (or CISA).\3\
---------------------------------------------------------------------------
\3\ Pub. L. 114-113.
---------------------------------------------------------------------------
CISA authorized an information-sharing program whereby
cybersecurity threat information can be quickly, readily, and
voluntarily shared among the private sector, between the private sector
and the Federal Government, and among Federal Government agencies. CISA
included provisions for the minimization of personally identifiable
information, prohibitions on the Government use of that data,
protections for the private sector from anti-trust concerns, and
liability protections for sharing information. The law also authorized
the application of defensive measures to mitigate known threats or
security vulnerabilities on any network for which they own or have
consent to take those measures from the network owner.
The second title is on National Cybersecurity Advancement. This
part of the law provided authority for the NCCIC to manage the
information-sharing program authorized by Title I. Title II also
provided authority to DHS to provide, with or without reimbursement,
the ability to detect and block threats coming from the public internet
to agency networks. This capability is known in the cybersecurity
community as intrusion detection systems and intrusion prevention
systems, and as the National Cybersecurity Protection System (NCPS) or
EINSTEIN (the name of the program DHS runs to deliver this capability).
Title II also authorized DHS to develop and deploy tools to agencies
which would continuously monitor the network activity of agencies'
internal networks in order to detect risks and recommend mitigation
activities. This is known as the Continuous Diagnostics and Mitigation
program at DHS.
Title III, or the Federal Cybersecurity Workforce Assessment Act of
2015, requires Federal agencies to identify the cybersecurity workforce
roles of greatest need to the Department and report to Congress on the
progress of implementation.
Title IV contains miscellaneous cybersecurity requirements,
including a study from DHS on the risks facing first responder
networks.
roles and responsibilities
To take an organizational view, these laws established certain
roles and responsibilities among Federal entities for the security of
the .gov domain. It may be helpful to think of OMB as the
``strategic,'' DHS as the ``operational,'' and individual agencies as
the ``tactical,'' with roles for NIST and agency Inspectors General, as
well.
OMB, exercising its oversight of agency budgets, is responsible for
overseeing agency adoption of cybersecurity practices and guiding
agencies have a cybersecurity posture commensurate to their risk.
Through their budgetary authority, OMB enforces the adoption of
cybersecurity practices by directing the expenditure of funds for this
purpose. OMB may also install new senior officials to oversee
mismanaged cybersecurity programs, but CRS was unable to find an
instance of OMB exercising that authority.\4\
---------------------------------------------------------------------------
\4\ 40 U.S.C. Sec. 11303.
---------------------------------------------------------------------------
DHS oversees agency adoption of cybersecurity programs, provides
tools to protect agency networks, and coordinates Government-wide
efforts on Federal cybersecurity.
Ultimately, however, agency heads are responsible for ensuring that
risks are effectively managed in their own agencies, with cybersecurity
being one such risk (financial and operational risk are among the
others). In accordance with FISMA (Pub. L. 113-283) agency heads shall
ensure the responsibility for cybersecurity is delegated to senior
official, frequently a chief information security officer.\5\
---------------------------------------------------------------------------
\5\ 44 U.S.C. Sec. 3554(a)(3)(A).
---------------------------------------------------------------------------
NIST develops standards (i.e., the Federal Information Processing
Standards) and guidance (i.e., Special Publications) to inform agencies
of security practices to adopt.\6\
---------------------------------------------------------------------------
\6\ NIST, ``FIPS Publications,'' website, October 16, 2015, at
http://csrc.nist.gov/publications/PubsFIPS.html. And NIST, ``Special
Publications,'' website, April 8, 2016, at http://csrc.nist.gov/
publications/PubsSPs.html.
---------------------------------------------------------------------------
Inspectors General annually evaluate their agency's cybersecurity
programs and provide recommendations on improving their agency's
cybersecurity posture.
policy outcomes
Prior to the 113th Congress, cybersecurity risks were one of many
risks that an agency head was responsible for managing, along with
fiscal risk and operational risk. In managing cybersecurity risk,
agencies had a responsibility to manage risk effectively, and through
their collective risk management the security of the .gov domain was
obtained. DHS, OMB, and NIST provided programs, information, tools, and
guidance to assist agencies in managing that risk, to include EINSTEIN
and FISMA guidance.\7\ However, it was incumbent upon the agency to
accept those tools and implement that guidance.
---------------------------------------------------------------------------
\7\ The e-Government Act of 2002 (Pub. L. 107-347) requires OMB to
develop and issue guidance on implementing information technology
security, and the Comprehensive National Cybersecurity Initiative
(https://obamawhitehouse.archives.gov/issues/foreign-policy/
cybersecurity/national-initiative) directed DHS to develop and deploy
EINSTEIN to agencies.
---------------------------------------------------------------------------
With the passage of the aforementioned laws enacted in the 113th
and 114th Congress, including the Cybersecurity Act of 2014, Congress
updated law to reflect that risk exists not just at the agency level,
but across the entire Federal Government. Federal agencies face
cybersecurity risks not just for the information that individual
agencies possess. Agencies also face inherent cybersecurity risks
because they exist as part of the Federal Government, regardless of the
work of that particular agency.
The Congress statutorily affirmed the role of DHS in mitigating
risk to all Federal civilian agencies, reflecting the interdependent
and inherent shared cyber risks agencies face. Rather than distribute
risk mitigation across agency heads as their responsibility, DHS was
granted authority to monitor cybersecurity risk for the .gov domain,
provide tools to mitigate that risk, and assist agencies in doing so.
With these authorities, DHS provides defense of agency networks at the
transition point from the public internet to the agency's networks with
EINSTEIN, which improves network security.\8\ DHS also provides
advanced vulnerability management with CDM.\9\ These tools are designed
not only to strengthen security of agencies where they are deployed,
but also to the Federal enterprise by allowing DHS visibility to
network activity across all Federal agencies. This is intended to allow
DHS to notice malicious activity at one agency and the opportunity to
mitigate that activity at another agency before it becomes disruptive,
a form of herd protection for civilian agencies. Additionally, by
consolidating these responsibilities at DHS, DHS is arguably able to
monitor risk to the .gov domain and take action to mitigate that risk,
freeing up agency resources to focus their risk at the agency level
(i.e., the agency network, agency computers, and data).
---------------------------------------------------------------------------
\8\ https://www.dhs.gov/einstein.
\9\ https://www.dhs.gov/cdm.
---------------------------------------------------------------------------
The distinction between the Federal enterprise and the agency's
enterprise appears to be continuing under the new administration. The
President's ``Budget in Brief'' requests $1.5 billion for DHS
cybersecurity mission (to be split between their .gov and private
sector security operations, but explicitly support a ``more assertive
defense of Government networks.'').\10\ Early indications from the
administration officials signal that the position of the administration
is to manage risks to the Federal enterprise as a single entity.\11\
Through this strategy, the administration seeks to alleviate agency
heads from having to further divide limited agency resources between
mission operations and mission support, with the potential detriment to
spending on the agency's cybersecurity. By shifting some additional
cybersecurity actions from individual agencies to a single entity
responsible for the security of all agencies the intent is to allow
agencies to focus their resources on executing against the agency's
mission.
---------------------------------------------------------------------------
\10\ OMB, ``America First: A Budget Blueprint to Make America Great
Again,'' budget report, 2017, at https://www.whitehouse.gov/sites/
whitehouse.gov/files/omb/budget/fy2018/2018_blueprint.pdf.
\1\ Tom Bossert, ``Cyber Disrupt 2017,'' remarks via video, March
15, 2017, at https://www.csis.org/events/cyber-disrupt-2017.
---------------------------------------------------------------------------
Binding operational directives (BODs) are an example of the policy
shift enacted with this group of legislation. These directives are
compulsory direction to an agency from DHS to take specific action in
order to protect the agency's information technology.\12\ This is a
unique relationship wherein one cabinet agency can direct another to
take action--in this case, expend that agency's resources--for the
purposes of managing risk to that agency, not risk to DHS. DHS is under
no obligation to notify the public or Congress on the issuance of a BOD
or its contents.
---------------------------------------------------------------------------
\12\ 44 U.S.C. Sec. 3553.
Mr. Ratcliffe. Thank you, Mr. Jaikaran.
I now recognize myself for 5 minutes for questions.
Ms. Manfra, I want to start with you. As we have heard
today, there have been a number of critiques of DHS's NCPS, or
its principal component, EINSTEIN and CDM and their
capabilities over the last few years. So some of those
critiques relate to the holistic effectiveness of the
capabilities, with respect to a cyber defense system and the
lack of integration.
We have heard some concerns about the programs' limited
ability to rapidly detect and disrupt breaches and specifically
EINSTEIN 3A, signatures being limited and not being able to
prevent some of the most advanced persistent threats.
So what is your response to that? How do you address that?
What is DHS's mitigation, to the extent you think those are
valid? I will give Mr. Wilshusen and Mr. Jaikaran a chance to
weigh in, depending on your response.
Ms. Manfra. Thank you for your question, sir. If I may just
separate the two programs because I think the critiques are
somewhat different.
For the National Cybersecurity and Protection System, which
Mr. Wilshusen summarized in the GAO report, we did concur with
the recommendations from the GAO report. We have also done some
independent studies as well within the Department, leveraging
MIT and Lincoln Labs to look at the system as well.
For National Cyber Protection System, if I may briefly
review, it is made up of five capabilities. The first is
intrusion detection, which is EINSTEIN 1 and 2. Those have been
in place for quite a while.
Those are Unclassified capabilities that look at network
flow and detecting known threats from traffic that is exiting
and incoming to the network.
EINSTEIN 3A, as we refer to it, takes Classified
information and uses it to protect Unclassified data that is
traversing in and out of the agency's network by partnering
with the internet service providers that service those
agencies.
The other two capabilities is the core infrastructure that
supports everything that we do at, within the National
Protection and Program Directorate and as well as our
information sharing.
So the criticism is largely focused on EINSTEIN 3
Accelerated, which is the focus on being able to deploy quickly
which we believe that was a valid criticism.
We were able to accelerate that deployment, and in
cooperation with yourselves in the passage of the Cybersecurity
Act that required agencies to deploy that. As I noted, we are
now at 93 percent. So we believe that we are improving on the
coverage aspect.
We are still working to ensure that the Classified
indicators are as valuable as possible. We continue to work
with our partners in the intelligence community and with
network owners and operators to ensure that not only are the
indicators valuable but, as Mr. Wilshusen noted, that we and
our analysts are providing appropriate context for agencies to
understand what should they do once they do receive an alert.
So we are continuing to refine our processes there.
On the lack of integration between CDM and EINSTEIN, we
also recognize that as a valid criticism. We integrated the two
programs so that they are now managed under one program
director. We believe that, from a programmatic perspective,
that has resolved a lot of the challenges.
Then, technologically, what we hope to achieve is as CDM is
deployed and we gather insight on what is going on inside of
the networks, that we then correlate that with the threat
information and the data that we are receiving on what is going
on that is going in and out of the agency networks on the
network traffic, and that we will then be able to provide our
intake and analysts with a holistic risk picture on both the
vulnerabilities and the threat that our two major programs are
seeing.
But we also look to understand all of the available
datasets for us and ensure that our analysts are taking
advantage of those when they are providing that context.
Mr. Ratcliffe. Thank you, Ms. Manfra.
So Mr. Wilshusen and Mr. Jaikaran, you heard Ms. Manfra
essentially confirm some of the critiques. Very quickly, the
mitigation path that she outlined, do you think that is
reasonable?
Mr. Wilshusen. Yes, I do. It is something that we have been
working with DHS since we issued our report back in January
2016. It has been over a year. We have been working with DHS
and following their actions to implement our recommendations,
and we will continue to do so until they are fully implemented.
Mr. Jaikaran. So Ms. Manfra--sorry. Ms. Manfra highlighted
one of the challenges with the sharing information. Once that
information is shared it is reliant on the recipient of that
information to take some action. That is the next step that the
work that the analysts will perform to help agencies take the
action to remedy the cybersecurity threats.
Mr. Ratcliffe. My time has expired. I may have some
additional questions in a follow-up round if we get the chance.
But at this time, the Chair now recognizes the Ranking
Minority Member of our subcommittee, Mr. Richmond, for 5
minutes.
Mr. Richmond. Thank you, Mr. Chairman.
This is to Ms. Manfra and Mr. Wilshusen. In past reports,
GAO has underscored the need for a more strategic approach to
cybersecurity within the Department of Homeland Security. I
authored a law last year that required DHS to create such a
strategy and submit it to Congress.
Ms. Manfra, the statutory deadline for this strategy was
March 23. What is the status of this strategy and when should
we expect to see it?
Mr. Wilshusen, are there areas where a DHS-wide cyber-
strategy, in your experience, will be beneficial to the
Department as it carries out its diverse cybersecurity mission?
Ms. Manfra. Thank you for your question, sir. We are
working on the cybersecurity strategy as required under the
National Defense and Authorization Act, recognizing that it was
due last week.
However, we do need time to ensure that the new
administration has an opportunity to review and provide
guidance on what that strategy should look like. So we do
anticipate that that will be over to you all soon. We look
forward to working with you on implementing that strategy.
Mr. Wilshusen. Yes, I think the strategy should address
several issues, including, of course, DHS's statutory
responsibilities that it has with improving the security over
the Federal Government. As part of that it should also identify
the resources, the staffing that will be needed to implement
that strategy and perform the functions that have been laid out
to it under law.
So certainly clearly identifying its roles and
responsibilities and the resources necessary to perform those
activities, such as CDM and EINSTEIN, and the red and blue
teaming exercises that it does, as well as the threat
integration and information-sharing activities should all be
addressed in that strategy.
Mr. Richmond. Ms. Manfra, do you have an estimate of how
soon we would get it, a month, weeks?
Ms. Manfra. Our goal is to get it within the next couple
months, sir. But we do need to ensure that our leadership and
the new administration has a chance to review it and provide
the guidance. But sir, we are working very hard on it. This is
something that we recognize as critical to our success in the
next evolution for DHS cybersecurity.
Mr. Richmond. Thank you.
Then this is to the full panel. You can answer in whatever
order you want. One of the obstacles DHS encountered during the
Obama administration was convincing other Federal agencies to
take advantage of DHS tools, like EINSTEIN and CDM.
Mr. Jaikaran, please explain how laws like the
Cybersecurity Act of 2015 and FISMA have clarified agency
responsibilities?
Mr. Jaikaran. Thank you for the question, sir. Following
the spat of legislation that was passed during 113th and 114th
Congresses, there was that change whereas agencies were offered
the tools by the Department of Homeland Security. However, it
was incumbent upon that agency had to accept that tool and
deploy it upon their networks.
After the change during the 113th and 114th Congresses, the
acceptance of those tools, particularly the National
Cybersecurity Protection System or EINSTEIN, as the tools are
known, was required.
You saw the change between the 30-some-odd percent to the
90 percent adoption from agencies when Congress statutorily
required agencies to deploy that technology.
Mr. Wilshusen. I would agree. It had a very positive effect
in compelling agencies to implement those programs.
Ms. Manfra. Sir, I concur with the other two, and I would
also note that it was able to remove a lot of the barriers that
we had previous legal misperceptions that we had with agencies
so that further facilitated the adoption.
Mr. Richmond. In a follow-up to that, from your
perspective, how helpful have these laws been at raising the
level of cybersecurity awareness across the Federal Government?
What are some of the most pressing challenges that still
remain?
Ms. Manfra. Sir, I think the laws have been effective in
raising awareness amongst the Federal leadership and the
broader community that supports the Federal Government in
securing our systems whether they are commercial or inside the
Federal Government.
I think some of the major challenges continue to be how the
Federal Government is able to modernize our IT systems and
being able to protect legacy IT systems.
It is a continuing challenge, and it is resource-intensive
which leads to the second challenge, which is resources. Being
able to allocate sufficient resources to protecting that data
in those systems that support that data continues to be a
challenge.
Mr. Richmond. If you can answer this in, like, 2 seconds,
just because you raised it, where are you all in the proposed
budget? Are you all left alone, increased, or cut?
With this, Chairman, I----
Ms. Manfra. Sir, you are referring to the fiscal year 2018?
Mr. Richmond. Yes.
Ms. Manfra. The proposed budget blueprint does give us an
increase at DHS.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
New York, Mr. Donovan, for 5 minutes.
Mr. Donovan. Thank you, Mr. Chairman.
To follow up with my friend from Louisiana's questioning,
you all spoke about the successes of the Cybersecurity Act of
2015 and the prior two pieces of legislation that came out of
this committee and then eventually passed the House and the
Senate and was signed into law. What else do you need?
What would you like to see us do going forward now in
helping you protect our data, our network infrastructure? What
is it that you would like to see us do, this committee, our
whole Committee at Homeland Security and all of Congress to do
to help you do your job better?
Mr. Wilshusen. Well, one thing I would say is to continue
to shine a bright light on this issue. Hold hearings and have
agency personnel come up here and testify on how they are
implementing the requirements under these laws and how
effectively they are doing that.
I think shining the light on that really raises the
attention levels at the top levels of agencies and that helps
to get actions completed at those agencies. So that would be
one of the areas to do.
I will also point out that in another area where the laws
have been beneficial is with the cybersecurity work force
assessment initiatives that have been specified in a couple
laws for DHS specifically and across the Federal Government
where agencies are supposed to identify their critical
cybersecurity talent gaps and take steps to fill them.
So those are a couple areas where I think you have done a
job to help improve security.
Ms. Manfra. Echoing Mr. Wilshusen's comments, I would agree
with those. In addition, I think work on acquisition reform is
important. A lot of the challenges that we face in deploying
and procuring best-in-class technologies is not just for DHS
but for the entire government, is very important in continuing
to focus on building not just a Federal work force for
cybersecurity but a National work force for cybersecurity that
the Federal Government can benefit from.
Mr. Jaikaran. Sir, my fellow panelists have highlighted a
range of policy options that are available for the Congress. I
think that is one of the unique areas of this space,
cybersecurity, that issues of work force, issues of IT
acquisitions and modernization, issues of oversight all play
into this issue of cybersecurity and our options for the
Congress to consider moving forward.
Mr. Donovan. Can you explain to me what the acquisition
problems are that maybe we can address?
Ms. Manfra. I think for us, a lot of what we are looking at
is, one, ensuring that we are leveraging the authorities that
we currently have and improving our processes to ensure that
those are as innovative and rapid as possible. So we are making
and we are doing that work inside the Department and
encouraging other agencies to do the same.
But I do believe that looking at processes that would
enable faster tech refresh of our capabilities within the
Government and identifying opportunities to work with non-
traditional Government contractors.
There are still some barriers in the way that the
acquisition is currently written and done that doesn't allow us
as easily and as rapidly to engage with those entities.
Mr. Wilshusen. I think I would just add to it is kind of
following the example what we are doing under CDM program, and
that is leveraging Government-wide demand for products to buy
in volume and so we are able to achieve cost efficiencies
through volume discounts.
So for many different types of information security-related
tools and capabilities, to the extent they can be acquired
across the entire Government and all agencies can share will be
a very positive step, not only from a cost-effectiveness
purview, but also from a standardization view, too. That could
also help allow for greater integration of the computing
environments across the Federal agencies.
Mr. Jaikaran. I have nothing to add to the comments of my
fellow panelists.
Mr. Donovan. I have 30 seconds left, and I want you to
understand you are speaking to a guy whose VCR still flashes
12. So in layman's terms, is there any laws that we can create
for you that protects our data, protects our networks better?
You seem very satisfied with what this committee, what this
whole committee with Congress, has done so far in the area of
cyber. Is there something that you would love to see us do?
Ms. Manfra. From our perspective, sir, ensuring that DHS is
organized to achieve our cybersecurity mission. Renaming our
organization so people understand what the National Protection
and Program Directorate is really very important for us. We
look forward to working with the subcommittee and the committee
on that.
Mr. Donovan. Thank you. My time has expired.
Mr. Chairman, thank you.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
Louisiana, the Ranking Minority Member of the committee, Mr.
Thompson--or Mississippi.
Mr. Thompson. Well, I will take Louisiana, but I am from
Mississippi.
Mr. Ratcliffe. Is there a difference?
Mr. Thompson. Not really. Thank you, Mr. Chairman.
All of you talked about the capacity of having cyber
experts within Government. One of the criticisms we hear quite
often is we don't have enough, or as soon as we get them, the
private sector acquires them. I could use another term, but----
So Ms. Manfra, what do you think we need to do, that we are
not doing, to recruit and keep cyber professionals within the
Federal Government system?
Ms. Manfra. Thank you, sir, for your question. This is
something that is not only critical for us but something that I
personally care a great deal about. As a part of the broader
initiatives to improve STEM education in the United States, I
believe cybersecurity is an important component of that.
We at the Department have done a lot of work to encourage
universities and working with NSA and the NSF to have a common
curriculum that universities will adopt and developed a program
with the Office of Personnel Management called the CyberCorps
Scholarship for Service that allows graduates of that program
to benefit from a scholarship and then come and work for either
Federal, State, and local government.
That is one area that we have seen tremendous benefit from.
While they may leave the Government after their time is up, we
appreciate the time that they did spend with us.
We also are looking in terms of the authorities that this
Congress gave us to create an accepted service for
cybersecurity. We are moving forward in developing the
components of that so that we can begin transitioning to that
excepted service, which will allow us to drastically change how
we can keep up with the marketplace on cybersercurity
personnel.
But while we are working to implement that, we have worked
to, within our current authorities, use what we can to retain
the best and the brightest that we have right now, by ensuring
that with the tools that we have at the moment to retain them
and provide them with a better, a market-based approach to
their salary.
There is more work to be done, but this is something that
we have done a lot, and we look forward to----
Mr. Thompson. Well, you have given me a broad, broad
response to my question. Let me tell you what I hear from a lot
of Government employees. They will say because there is a
private contractor with an employee sitting next to me, and as
we talk I find out that we are doing the same work.
But that private contractor is probably making one-and-a-
half times, if not more, than my salary as a Government
employee. So that impacts morale and a lot of other things. So
do you hear that, too?
Ms. Manfra. Absolutely, sir, and the retention incentive
program that we have put in place for now, while we work to
implement the full excepted service, has actually had a drastic
effect in reducing our attrition rate so that we were at about
a 13 percent attrition rate. We are now down to a 9.
We think that that is commensurate with industry. We did
absolutely hear that quite a bit and we recognize that, and we
are using our tools to----
Mr. Thompson. You know, we even said go out and hire 1,000
people if you can find them and plus-up the Department because
you are short. I don't think we quite accomplished our goal.
Maybe you can help me?
Ms. Manfra. Yes, sir. Recruiting is still a challenge. We
believe we have made progress on retention. We are also looking
at innovative ways to recruit, and we do have some direct hire
authority that we don't believe that we were fully leveraging.
So we have worked with industry to look at how they recruit
talent to the technology companies there. We are looking at
adopting a lot of those practices in our human capital process.
Mr. Thompson. Well, I look forward to the next conversation
and you tell me how good we are moving in that direction.
Ms. Manfra. Absolutely, sir.
Mr. Thompson. OK. Thank you.
Mr. Wilshusen testified that the EINSTEIN program is good
if we know the militia's signatures. I guess the question is
what do we have as the alternative when we don't know what the
signatures are? Maybe you can tell me, and then I will go to
Mr. Wilshusen?
Ms. Manfra. Absolutely, sir. We think that, as I noted
briefly, that there are three areas that we want to focus on.
One is ensuring that we have better signatures. Signatures are
still a useful capability to deploy.
So we want to ensure that we have the best signatures that
are available and that we are using our private-sector
partnerships to both increase the quantity and the quality of
those.
We also want to ensure that the agencies understand how,
whether, it is not just a black or a white. This is either bad
or this is good.
But we want to look at those signatures and give them
information about how likely the severity of the threat is,
which we refer to as reputation scoring. This is something that
industry also uses.
The third one is what we refer to as anomaly-based
detection. That is more challenging. The technology does exist
in the industry and we are piloting it. But it is a challenging
capability.
We have seen success with some of our early pilots and we
look forward to understanding from those successes and learning
from where the challenges were to fully deploy that capability.
Mr. Thompson. So is that the pilot that we should have
concluded last July?
Ms. Manfra. The pilot was begun in early last year. We are
still in the pilot phase.
Mr. Thompson. So it appears----
Ms. Manfra. We brought it. We brought in the pilot, sir.
One of the things that we need to continually be mindful of is
our ability to scale technological deployments.
So just because something might work at one agency we need
to ensure that it can scale for the entire civilian government.
So we expanded the pilot from that first agency to include
others.
Mr. Thompson. All right. Thank you.
Thank you, Mr. Chair.
Mr. Ratcliffe. The gentleman from Mississippi yields back.
The Chair recognizes the gentleman from Pennsylvania, Mr.
Fitzpatrick.
Mr. Fitzpatrick. Thank you, Mr. Chairman. Thank you to the
panel for being here.
I will start with Ms. Manfra and then second to the entire
panel. The relationship with the FBI, would you describe it as
one of cooperation, one of competition or both, knowing that
there are multiple agencies in the same space? Sometimes that
can help and hurt.
Second for the panel, we repeatedly hear the same four
nations mentioned through testimony here, Russia, China, North
Korea, and Iran. How would you describe to this committee the
uniqueness of each of those cybersecurity threats that each of
those nations pose? How would you rank them?
Ms. Manfra. The question of the FBI cooperation, I am very
proud that I consider this an area of cooperation. Now, that
doesn't mean to suggest that there aren't areas where we have
different equities. But that is appropriate.
We believe that we have built the capabilities to work
through those processes so that we ensure that they are able to
pursue their investigative equities and we are able to pursue
our network defense.
We have FBI sitting on the NCCIC floor 24/7, and we
routinely work with them to ensure that we are both aware of
the same reporting streams, whether it is through their sources
or through our partnerships, and that we are continuing to
cooperate on mitigating and preventing potential incidents and
working together to reduce the consequences should an incident
occur.
PPD-41, which was a policy that was delivered at the end of
the last administration, laid out the doctrine that is still
valid and that we still work under where the FBI leads what we
refer to as the threat response. That is containing the threat.
Where we lead what we refer to as asset response, which is
working with the victims and understanding the broader risk and
how we mitigate that. We believe that works very well.
Mr. Wilshusen. With respect to the four nations, I would
say that Russia is very skilled, capable, and is probably more
surgical in its intrusion capabilities and intense.
China also has a lot of skills but and is probably takes a
broader base view in trying to get into more different
activities across the Government and the economy.
I would just say probably Korea and Iran are more likely to
be involved in more destructive activities, that they have that
capability.
Mr. Jaikaran. Sir, unfortunately my work at CRS has not
provided me insight into the capabilities of each of the
countries. However, I do have colleagues who do study threat
actors specifically, and I would be happy to get them in
contact with you after this hearing.
Mr. Fitzpatrick. Thank you.
I yield back.
Mr. Ratcliffe. I thank the gentleman.
The Chair now recognizes the gentleman from Rhode Island,
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank our
witnesses for your testimony today and most especially what you
are doing to secure our networks against those who have bad
intentions.
So Ms. Manfra, if I could start with you? So DHS was
authorized by FISMA 2014 to use binding operational directives
to issue mandatory instructions to agencies regarding
cybersecurity policies, measures, standards, and guidelines.
So far how many of those binding operations directives have
been issued? Can you also characterize the response of the
Federal agencies to these directives and also identify where
their enforcement can be improved?
Ms. Manfra. Thank you, sir. We have issued four binding
operational directives to date. We believe that they have been
very effective. They were all delivered by former Secretary
Johnson to his peers, which we do believe is part of the
success of these directives.
We made very deliberate decisions to do our best to issue
binding operational directives that would enable us to measure
their success in implementing those directives.
The first directive on reducing critical vulnerabilities
and the one on high-value asset and participating in the high-
value asset assessments, as well as closing some
vulnerabilities related to later revelations of activity with
some criminal tools that were being used, have all been very
effective.
The critical vulnerability we have excellent data that
shows that not only are they closing those critical
vulnerabilities, but they are reducing the time to close those
vulnerabilities. We gave them 30 days to close those critical
vulnerabilities. Many of those vulnerabilities had been open
for oftentimes more than a year.
We are now seeing a dramatic reduction in the amount of
time that it is taking them to reduce those critical
vulnerabilities, which we think is a demonstrable change in
behavior and recognizing the value of those binding operational
directives.
Mr. Langevin. So in all four cases the binding operational
directive was satisfied and the agencies closed the
vulnerabilities, addressed the problem?
Ms. Manfra. Yes, sir. We did not close the critical
vulnerability or the high-value asset one because those were
ones where we wanted to continue to be able to measure them.
So we work with them, their chief information officer and
chief information security officer to continue to provide them
reports on the status because we believe those are always valid
directives for them to follow.
Mr. Langevin. OK. Thank you.
Mr. Wilshusen, has GAO studied the impact of binding
operational directives issued by the Department?
Mr. Wilshusen. We have not.
Mr. Langevin. OK.
So Ms. Manfra, we recently, we heard recently before the
committee that the threat indicators are shared by DHS, often
lack context that make private-sector participants, that they
would make them--may desire to make them actionable.
At the same time developing such context takes time and in
the development of the Cybersecurity Act of 2015 we heard that
rapid sharing was essential. So how does the Department balance
the competing needs of sharing actionable information with
appropriate context against the desire to share quickly?
Ms. Manfra. Thank you, sir, for that question. We believe
that all of those are valid requrements. However, not all of
our stakeholders require all of those various different
capabilities.
Our automated indicator-sharing program is to get as much
threat information out as quickly as possible in an automated
way so that people can ingest those indicators and protect
themselves.
We believe that that has been a successful program. We are
about a year into it, and we have nearly 200 participants that
are receiving indicators from us.
Now, there is always feedback and we appreciate the
feedback in the working to improve that program. We also have
other programs to include providing private sector with
clearances so that we can work with our intelligence community
partners to provide Classified briefings should the threat
require it.
We also work with our cyber information-sharing and
collaboration program where we can do technical exchanges with
analysts at industry organizations that have significant
capabilities of their own where we can exchange broader
information on context and refine what it is we are doing. That
is how we think of focusing our efforts.
Mr. Langevin. So the people that we have been talking to,
just so you have some feedback, didn't think that the
information sharing has been all that effective. So we need to
work harder in that area.
I would ask you now if you have a secondary process? I
mean, sharing quickly the indicators is important and getting
that out is important. But what about a follow-up and helping
to share context in a second round?
Ms. Manfra. Absolutely, sir. Similar to what we are doing
with the Federal agencies is to help score some of these
indicators working with the private sector to ensure that we
are providing both the quality quickly and understanding that
we may need to follow up either broadly with an entire sector
or on specific entities that are being targeted to provide them
with additional context so that they can make threat decisions.
But we have heard similar feedback. We understand from our
partners that we are improving, but that we do need to continue
to improve on this capability.
Mr. Langevin. Thank you.
I know my time has expired, but just in closing, Mr.
Wilshusen, I hope that GAO would look at these binding
operational directives issued by the Department, especially
since there are only four, and give us an assessment.
It would certainly help the committee to decide whether the
binding operational directive is meaningful or not. We
appreciate the testimony of Ms. Manfra, but I would be----
Mr. Wilshusen. I will be happy to work with your staff to
look at that.
Mr. Langevin. Thank you.
Thank you, Mr. Chairman, I yield back.
Mr. Ratcliffe. We have a number of Members that have
competing hearings this morning and haven't been able to make
it back. So I know that they are going to have questions for
all of you that will be submitted in writing.
So with that, however, I will thank the witnesses for your
testimony today. I want to thank the Members for all their
questions. As I said, Members of the committee will have some
additional questions, and we will ask you to respond to those
questions in writing respectively.
Pursuant to committee rule VII(D), the hearing record will
be held open for 10 days. Without objection, the subcommittee
now stands adjourned.
[Whereupon, at 11:16 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Jeanette Manfra
Question 1a. Do the objectives for CDM still align with reality of
the evolving cyber risks faced by the Federal Government?
On March 22, the committee held a hearing where Members heard about
the rapidly-evolving nature of cyber threats. Based on this changing
threat landscape how is DHS ensuring CDM tools and capabilities are
keeping up with the evolving threat landscape?
Question 1b. How is DHS ensuring that CDM tools and capabilities
are addressing the devices and end-points that pose the most risk to
Federal agencies going forward?
Answer. The Continuous Diagnostics and Mitigation (CDM) program
objectives directly align with the reality of evolving cyber risks, and
the program is committed to continuing to assess its effectiveness at
addressing such risks. In the context of ever-evolving cyber threats,
there are basic fundamental steps to strengthening cybersecurity. For
instance, knowing the information technology (IT) assets connected to
and interfacing with agency networks, and therefore, must be managed is
a crucial basic fundamental step related to cybersecurity. In the first
phase of CDM, the National Protection and Programs Directorate (NPPD)
is helping Federal agencies better understand what is on their network
and better manage the cybersecurity of those assets. CDM works to
ensure that agencies know what IT assets they operate and how well
those assets are configured and patched. IT assets, combined with their
vulnerabilities and misconfigurations, represent a significant attack
surface that our adversaries target. Through better patching and
configuration, agencies are able to reduce the likelihood of successful
compromise against the evolving threat. This is one of the key
objectives of CDM.
Another fundamental principle of CDM is to understand who is on the
network. By learning who has access to agency networks, including those
individuals with privileged user access, agencies can begin to
appropriately restrict network access and ensure the principle of least
privilege is being followed. This second phase of CDM is a significant
step forward in managing cyber risk.
NPPD's National Cybersecurity and Communications Integration Center
(NCCIC) will soon operate a Federal dashboard as part of CDM.
Integration of the Federal dashboard into the NCCIC's 24/7 operations
will provide DHS's cybersecurity operators with around-the-clock
situational awareness into the current security posture of Federal
agencies. This will enable the NCCIC to help agencies prioritize their
patching and configuration actions to address the most critical
vulnerabilities based on current threat data. It also allows the NCCIC
to alert agencies when new threats arise that exploit specific
vulnerabilities. The NCCIC will be able to adjust the criticality
information related to specific vulnerabilities in order to bring
agency attention to the worst problems that should be addressed first.
In order to maintain product currency, ensure innovation, and keep
up with an evolving threat, on at least a quarterly basis CDM allows
integrators to submit for review the latest tools that meet the CDM
technical requirements. Once the tools pass technical review conducted
by the CDM program, they can be added to the approved product list on
the blanket purchase agreements, making them available for purchase and
use at Federal agencies.
In working with Federal agencies and CDM integrators, NPPD is
helping to ensure that CDM capabilities protect Federal agency
networks. By providing agencies with significantly more visibility into
their end-points and users, CDM is helping agencies continuously
monitor their IT environments and improve their overall cyber hygiene.
Agencies are now installing the tools across their networks, which
gives their leadership and network administrators' visibility into the
current state of their networks to better identify and prioritize areas
of cyber risk, particularly those areas that pose the most risk.
Question 2. Is the Department providing technical training to
agency system administrators on the use of the CDM tools so they know
how to effectively and optimally use the tools to diagnose and mitigate
vulnerabilities?
Answer. The Continuous Diagnostics and Mitigation (CDM) program
anticipated training requirements for operation and management of
capabilities. Training requirements were included in the contract
solicitation. All CDM integrators are required to provide sufficient
training to enable agencies to transition the CDM tools to agency
operation once the integrator contract is completed. When transition is
complete, agencies will be able to understand what the CDM tools are
telling them about agency vulnerabilities via the agency dashboard, and
respond appropriately.
Funds available for training are limited, and experience is showing
that agencies are requesting more detailed, sustained training options.
DHS has reminded agencies of the need to fund training for tools and
governance activities. For dashboard operations, CDM is developing on-
line, hands-on workshops in fiscal year 2017 to assist agencies with
understanding how to use the CDM agency dashboard.
Question 3. Are departments and agencies being provided with
thorough estimates of what the cost of maintaining the CDM products
will be?
How is DHS working with departments and agencies on the transition
to maintaining CDM products?
Answer. Yes. Since December 2015, the Continuous Diagnostics and
Mitigation (CDM) program worked with the Office of Management and
Budget (OMB) to provide cost estimates to agencies on all CDM
capabilities provided to date. This information was updated again in
December 2016. In the third quarter of fiscal year 2017, the program
met with the chief information officer and chief financial officer or
their designees, of each Chief Financial Officer Act agency [as listed
in U.S.C. Sec. 901(b)] to provide even more detailed cost estimates for
license maintenance in fiscal year 8. We are working closely with OMB
and agencies to ensure that agency budgets are able to absorb the tool
and labor costs after the Department of Homeland Security transitions
the CDM solutions to agencies.
Question 4. What feedback mechanism does the Department have for
soliciting and receiving comments from agencies on their experience
with the CDM program?
What benefits and challenges have the agencies identified with the
program?
Answer. During the summer of 2016, the Federal chief information
officer (CIO) held a CyberStat on the Continuous Diagnostics and
Mitigation (CDM) program. The CyberStat included program documentation
review, interviews conducted by Office of Management and Budget (OMB)
staff with several agencies, and meetings between the Federal CIO and
the CIO or chief information security officer (CISO) of each agency.
This CyberStat was a valuable source of feedback. The Federal CIO noted
that ``all participants expressed support for the security objectives
of the program and emphasized their commitment to procuring CDM Phase 1
tools.''
Other benefits included:
Establishing a consistent approach toward information
security continuous monitoring of networks across the Federal
civilian agency enterprise. The Federal Information Security
Modernization Act of 2014 requires agencies to provide security
for the networks that support the operations and assets of
their agency and codifies the Department of Homeland Security's
(DHS) authority, in consultation with OMB, to administer the
implementation of information security policies and practices
for civilian agencies. Through CDM, agencies receive a
significant investment by DHS to boost previous efforts and, in
many instances, are able to achieve an internally consistent
enterprise approach, allowing them to leverage similar product
knowledge, subject-matter expertise, and technical support
across the agency.
Pioneering an innovative acquisition approach by combining
agencies into groups for similar requirements and project
efficiencies. By grouping agencies, CDM is achieving economies
of scale and reducing pricing for labor and products. To date,
CDM has achieved cost avoidance of $600 million on products
over the Schedule 70 pricing.
Leveraging a consistent system engineering life cycle,
tailored from DHS.
Establishing an approach toward supply chain risk management
across the Federal civilian Government enterprise. To date, the
program has applied secure delivery controls for well over 1
million products delivered to participating agencies.
Challenges identified by some agencies included issues such as:
Asset and infrastructure gaps; agency governance and management
challenges; integrator project management challenges; training and
knowledge management; entrance on duty requirements; and selection of
tools and requirements. With regard to the identified gaps, agencies
noted that CDM revealed a significant number of new end-points than
previously understood, and unplanned infrastructure upgrades and
modernization may be required to support new CDM tool deployments.
While the ultimate goal of CDM phase 1 is to identify all end-points on
the network, these activities resulted in budget implications for DHS
and agencies. Further, since additional end-points were identified,
future-year license maintenance costs will increase. Governance
challenges include the need for CIO engagement and leadership with
clear project management. Integrator project management challenges were
identified as requiring proactive engagement and communications with
the agencies, and well-documented plans, schedules, etc. The program
worked closely with each integrator to ensure plans and schedules were
clearly communicated on a timely basis. Agencies identified a need for
training and better knowledge management, particularly concerning the
tools. Entrance on duty requirements were identified as causing
significant delays in on-boarding critical integrator personnel,
resulting in schedule delays. With regard to tool selection, some
agencies noted that support for the awarded solutions varied within
agencies.
The CDM program office has worked with OMB on the next steps, which
includes implementing improvements and addressing concerns, as
appropriate. Moving forward, CDM has established a Customer Advisory
Forum (CAF) comprised of CISOs, or designees, from each agency in order
to receive feedback on topics of interest and concern. The CAF will
continue to meet on a bi-monthly basis and will serve as the focal
point for interagency collaboration related to CDM planning and
implementation, including customer proposals and adoption,
organizational and technical challenges, acquisition planning, and
capability integration priorities.
Question 5a. A number of stakeholders have raised a concern that
there is some confusion among agency officials about the technology
tools and solutions CDM directs them to use. Can you provide greater
clarity around this, particularly as it relates to tools and solutions
that Federal agencies may already have in place?
For example, if an agency has already procured and deployed an IT
asset inventory and management solution, can the agency continue to use
that solution and be in compliance with CDM?
Or would they have to scrap this already paid-for and deployed
solution, and buy something from a CDM approved vendor?
Question 5b. How does DHS help officials at agencies across the
Government understand whether they are able to use solutions they have
already procured, or whether they will need to deploy new solutions
through CDM?
What steps does DHS take to provide this clarity to agencies so
that there isn't unnecessary duplication of effort, or unnecessary
procurement of technology?
Answer. The Continuous Diagnostics and Mitigation (CDM) program
does not prescribe which tools should be deployed to which Federal
agencies, but rather defines a cybersecurity requirement and allows
industry to propose a set of tools that comprise a CDM solution. The
solutions are evaluated on a technical and cost basis with
participation from agencies, the Department of Homeland Security's
(DHS) CDM program, and the General Services Administration (GSA)
Federal System Integration and Management Center (FEDSIM).
Solutions are awarded when identified as the best value to the
Government. Historically, there have been niche buys of technology
tools and solutions by parts of an agency without consideration of
efficiencies that could be gained through enterprise-wide
standardization, resulting in higher cost of ownership when that
technology needs to be integrated into a bigger solution. The general
principle of CDM is to gap fill by extending the product bases within
an agency or component versus wholesale replacement--applying the best
value principle. The best value principle takes into account re-use of
existing tools, efficiencies gained through increased volume discounts
on products, leveraging of shared resources with solution-specific
expertise, reduced number of architectural baselines, and consistency
of data reporting to agency and Federal dashboards. Among the lessons
learned within Federal agencies was that the niche technology approach
provided little enterprise visibility of the agency network.
CDM seeks to find best value solutions in cooperation with Federal
agencies. In instances where an integrator proposed a solution to meet
a specific requirement that conflicted with an existing agency
capability, the agency had a choice to accept the CDM-provided
solution, along with installation and integration labor, or to retain
its existing capability but assume the responsibility for integrating
required data provided by existing agency tools into its agency
dashboard to ensure achievement of CDM's goal of consistent data
reporting between agency dashboards and the Federal dashboard across
all agencies.
Prior to release of the request for proposals (RFP) during the
solicitation phase of CDM, DHS has worked closely with agency officials
to identify agency requirements, including, where appropriate and
driven by the agency, considerations for agency-specific requirements.
For the task orders on Phase 1 of CDM in 2014, DHS helped agencies
complete detailed technical spreadsheets that were provided to all
bidders. The bidders were then able to consult agency-specific reading
rooms where additional technical detail was provided. A similar
mechanism was used in Phase 2 of CDM, where agencies were asked to list
existing products on an attachment to the Phase 2 RFP to provide
offerors a snapshot into the current agency landscape. As CDM moves
into Phase 3, DHS is working with agencies to identify their
priorities, which will help shape the capabilities DHS funds. DHS will
continue to work with agencies through CDM's Customer Advisory Forum
and other mechanisms to provide transparency and reduce duplication of
effort.
CDM established a new vehicle, CDM DEFEND, to cover Phase 3 and
beyond. This approach will continue to incorporate successful elements
of the current CDM Blanket Purchase Agreement, such as reading rooms
and Approved Product Lists, while moving away from a defined BPA to use
of a Government-Wide Acquisition Contracts (GWAC), Alliant, managed by
GSA. The GWAC approach will avoid the cost of establishing a new BPA,
and provide greater flexibility for CDM to address evolving
requirements as new needs are identified. This approach includes
provisions for agencies to contract for agency-specific requirements
directly if an agency has identified cybersecurity requirements that
are not part of the CDM program.
Question 6. What is DHS planning to do to accelerate the adoption
of new capabilities based on lessons learned to date?
If a deployed Phase 1 tool has embedded capabilities that have
additional functionality, such as those in later phases, can an agency
use that capability now?
Answer. As the Continuous Diagnostics and Mitigation (CDM) program
works to replace the existing blanket purchase agreement task order,
several factors will support accelerating the adoption of new
capabilities. Shorter evaluation and award cycles for targeted
capabilities beyond the base capabilities will allow an agency to
tailor solutions and assess specific tools. Agencies' experience with
targeted new capabilities will provide a better understanding of how
broadly a specific tool can apply, potentially reducing the time to
negotiate enterprise-wide solutions. Additionally, the process for
adding new products to the approved portfolio is being significantly
enhanced in order to reduce the time for availability from several
months to potentially a couple of weeks.
The CDM integrator is implementing capabilities according to the
phased CDM implementation schedule. If a tool deployed during Phase 1
has additional functions that are scheduled for later CDM phases,
agencies are free to implement the additional functionality if they
resource the work, fund the associated product and labor costs, and
ensure tool configurations meet subsequent CDM requirements and
compatibility with Federal dashboards.
Question 7. One common problem in information technology management
generally is the issue of ``shelfware''--that is, software that has
been procured but never deployed. As we look across agencies and
department, it is probably fair to say that many have acquired
solutions that can achieve the requirements of CDM but they are sitting
on a shelf somewhere and individuals at the agency are either unaware
of these capabilities, or they have failed to deploy these
capabilities. Is there a process that helps agencies better understand
and utilize current assets that can meet CDM requirements?
If so, can you please describe how that process works?
Answer. Agencies can consult with the Department of Homeland
Security regarding whether an existing tool, deployed or not, meets
Continuous Diagnostics and Mitigation (CDM) program requirements. CDM
publishes a product catalog through the General Services Administration
(GSA), available on-line, that identifies CDM-approved tools. The CDM
program has provided labor support to agencies who reported they
already had existing products but did not have them deployed. Since
these products were part of the CDM solution, it was deemed in the best
interest of the Government to ensure they did not remain ``shelfware.''
In future phases, CDM will continue to maintain approved product lists
that crosswalk CDM-approved tools to CDM capabilities. Additionally,
CDM will offer contract vehicles that agencies can use to fund
installation, configuration, and integration activities associated with
existing, legacy products. Although DHS provides cybersecurity tools
and services, the responsibility of employing those tools and services
for the practice of cybersecurity is ultimately the responsibility of
each agency. It is incumbent on each agency to engage with CDM in order
to fully utilize available resources.
Question 8. CDM seeks to provide threat protection at the network
boundary. How is DHS ensuring this protection extends across all levels
(or tiers) of agency infrastructure, especially when the intensity and
scale of threats is increasing exponentially?
Answer. EINSTEIN, the Department of Homeland Security's (DHS)
intrusion detection and prevention capability, provides perimeter
defense for Federal civilian executive branch agencies. However,
EINSTEIN will never be able to block all malicious cyber activity.
EINSTEIN must be complemented with systems and tools inside agency
networks, such as Continuous Diagnostics and Mitigation (CDM), and by
proactive efforts from each Federal agency to implement cybersecurity
best practices, such as multi-factor authentication and employee
training. DHS deploys tools that provide visibility into all levels of
the agency networks to provide broad protection CDM Phase 1 is focused
on ``what is on the network'' and CDM Phase 2 is focused on ``who is on
the network.'' CDM Phase 3, will be focused on filling gaps at the
network boundary and developing on-going assessment and authorization
across the agency systems. The objective is to address the evolving
threat by extending external visibility into internal agency
structures, further reducing unauthorized access to networks, systems,
and data.
Prior to the deployment of CDM Phase 1 tools to agencies, agencies
underestimated the number of devices on their network. The lack of full
awareness by various agencies regarding ``what is on their network''
played a significant role in some of the challenges with CDM Phase 1
deployment, particularly the need to increase contract ceilings and
identify funds to cover devices and end-points not previously
identified, and at the same time underscored the program's value. The
CDM Phase 1 deployments are now providing agencies with significantly
more visibility into their end-points, enabling them to effectively
manage and configure those end-points on the network.
Question 9. How will DHS continue enhancing cybersecurity defenses
despite the added complexity and risk from the proliferation of mobile
devices in the Government IT enterprise?
Answer. The Department of Homeland Security is constantly
evaluating emerging technologies and working with Federal agencies to
identify the most appropriate cybersecurity solutions. The utilization
of mobile devices is driving changes in our network security designs.
As threats and technology evolve, the Continuous Diagnostics and
Mitigation (CDM) program is working to incorporate cybersecurity
solutions for new computing paradigms, such as mobile computing. At the
time CDM Phase 1 was awarded, there was insufficient Federal policy
direction for mobile security. From its inception, it was an objective
of CDM to eventually address mobile security. Since then, there has
been significant progress in the formulation of reference security
architectures for mobile, and the program is planning to include mobile
computing in the next generation of task order work.
Question 10. Does DHS intend to serve as a Federal agency advisor
for mobile device authentication to better secure sensitive Government
networks and data that leverages work DHS is doing on innovative
Government smartcard and credentialing applications?
Answer. The Department of Homeland Security administers the
implementation of Federal agency information security policies and
practices, and provides recommendations and technical assistance on
cybersecurity and resilience measures. Mobile security is part of this
effort.
Question 11a. The Government knows that it needs to implement
cybersecurity at the data and document level because existing cyber
protection strategies are fundamentally inadequate. Phase 4 of the CDM
program acknowledges this issue. What is the time frame to roll out
data-level security measures for the DHS CDM program?
Have DHS and GSA considered accelerating the roll-out of data
protection capabilities included in its CDM Phase 4 strategy?
Question 11b. What CDM training is taking place to ensure Federal
agencies are planning and budgeting to adopt such ``data-level
protection'' capabilities?
Answer. The President's fiscal year 2017 budget request included
funding for a newly-proposed Continuous Diagnostics and Mitigation
(CDM) Phase 4 to expand the CDM program to include additional tools and
services to protect sensitive and high-value asset data within agency
networks. While not fully funding the requested level, the fiscal year
2017 Consolidated Appropriations Act provided funds to begin the
planning activities necessary to define CDM Phase 4 in preparation for
an acquisition review in late fiscal year 2018. However, we are
continually working to identify opportunities to accelerate and
innovate within CDM and other cybersecurity-related programs at DHS and
hope that we will be able to accelerate as appropriate.
There are fundamental technical steps that have to be in place
prior to focusing on the data, such as identifying the assurance level
on the user's identity and the degree of hardening and protections
within the infrastructure that holds the data. This is done through the
implementation of key parts of Phases 1, 2, and 3. Given Phase 4
requirements have not yet been fully developed detailed planning to
include training requirements have yet to be defined.
Question 12. The Trusted Internet Connection (TIC) was designed to
provide an additional layer of perimeter security to Federal Government
systems by consolidating internet points of presence and enabling
network monitoring of traditional on-premises systems. Advancements in
cybersecurity technology, specifically through cloud computing, have
changed the security models that guided the original TIC design. Some
have suggested that the TIC in its current form creates too many
latency, scalability, and architectural issues that hinder the
migration of workloads to the cloud and other emerging technologies.
Does DHS plan to update TIC policy to allow these technologies to
provide functional operational visibility?
Answer. The Office of Management and Budget (OMB) issues Trusted
Internet Connection (TIC) policy. The Department of Homeland Security
(DHS) is collaborating with OMB, Federal agencies, and industry to
identify potentially effective and innovative means to both meet
Federal security requirements and to ensure a level of resilience that
aligns with agencies' risk decisions.
Question 13. Given the pressing cybersecurity mission DHS provides,
what is the time line for resolving the DOMino procurement issue?
How does DHS plan to minimize DOMino transition risk, staffing, and
impact to providing the Federal Government environment with critical
cyber defense capabilities in light of recent events?
Answer. On June 9, 2017, the Department of Homeland Security (DHS)
awarded the DOMino contract and the task order for Operations and
Maintenance. The Design and Analytics Task Orders will be issued in the
near future. DHS has put in place bridge contracts to support the
transition from incumbent contractors to the DOMino vendor.
Question 14. Given the rapid rise in the threat landscape and the
increasing attack surface for the U.S. Government, has the CDM
initiative kept pace and is it capable of introducing solutions
expeditiously to combat and protect?
Given the fact that the Federal workforce has become more dependent
on ``cloud'' and ``mobility,'' is CDM still the correct solution to
address threats posed in the cloud and mobile spaces?
Answer. In order to maintain product currency, ensure innovation,
and keep up with an evolving threat, on at least a quarterly basis, the
Continuous Diagnostics and Mitigation (CDM) program allows integrators
to submit for review the latest tools that meet the CDM technical
requirements. Once the tools pass technical review conducted by the CDM
program, they can be added to the approved product list on the blanket
purchase agreements, making them available for purchase and use at
Federal agencies.
As threats and technology evolve, CDM is working to incorporate
cybersecurity solutions for new computing paradigms, such as cloud and
mobile computing. At the time CDM Phase 1 was awarded, there was
insufficient Federal policy direction for cloud and mobile security.
From its inception, it was an objective of CDM to eventually address
cloud and mobile security. Since then, there has been significant
progress in the formulation of reference security architectures for
both, and the program is planning to include both cloud and mobile
computing in the next generation of task order work.
Additionally, CDM is assessing the movement to different detection
methods and countermeasures to threats that are not pre-defined, or are
behavior versus signature-based.
Questions From Ranking Member Cedric L. Richmond for Jeanette Manfra
Question 1a. The Federal Information Security Modernization Act,
Pub. L. 113-283, grants the Secretary of Homeland Security authority to
issue ``binding operational directives'' to direct other agency heads
to take specific actions to protect their networks.
What factors go into the decision to issue a directive? If you have
a formal criteria, please provide a copy.
Question 1b. How has DHS used this authority thus far, and how do
you assess how effective each directive has been?
Question 1c. In the view of the Department, would it be an
appropriate exercise of this authority for DHS to direct specific
action to encourage better cyber hygiene going forward, rather than
address specific known risks?
Answer. The Secretary of the Department of Homeland Security (DHS),
in consultation with the Director of the Office of Management and
Budget (OMB), has the authority under 44 U.S.C. Sec. 3553(b)(2) to
develop and oversee the implementation of binding operational
directives (BODs). The Federal Information Security Modernization Act
(FISMA) statute includes specific topics for BODs, including
requirements for reporting security incidents to DHS's National
Cybersecurity and Communications Integration Center (NCCIC),
requirements for the contents of the annual FISMA reports, requirements
for the mitigation of exigent risks to information systems, and other
operational requirements as OMB, or DHS in consultation with OMB, may
determine are necessary.
DHS, acting through the National Protection and Programs
Directorate (NPPD), identifies risks or requirements to be addressed
through BODs. DHS also accepts ideas for potential BODs from entities,
such as the Federal Chief Information Officer (CIO) Council,
independent security researchers, or other partners. As needed, DHS may
convene a group of subject-matter experts from Federal agencies, OMB,
and the National Institute of Standards and Technology to consider the
relative merits of particular risks in order to determine the
appropriateness of a given BOD or determine the prioritization of
different BODs.
Generally, when determining whether a certain issue is appropriate
for a BOD, DHS considers the following questions:
Is the proposed BOD related to an active threat? If so, what
is the scope and magnitude of the problem?
Is the proposed BOD related to a potential identified risk?
What category/schedule does the potential BOD fit into
(planned, escalation of issue, or emergency)?
Is this issue specific to a particular Federal agency or
could it be applicable across the civilian Federal Executive
branch?
What is the difficulty to exploit the vulnerability?
Is the issue/subject Sensitive or Classified?
Are external events or threat intelligence driving the need
for or request of the proposed BOD?
Can the proposed BOD be measured and validated by DHS?
Could the issue or threat be addressed satisfactorily and
fully through other mechanisms? Has DHS socialized the proposed
BOD subject with applicable stakeholders, such as CIO/Chief
Information Security Officer (CISO) councils?
What is the end-state of proposed BOD?
What other operational requirements have been issued by way
of policy, guidance, and standards in relation to this BOD?
Does the BOD address or re-emphasize Federal program such as
CDM, EINSTEIN, automated indicator sharing, etc.?
Is this BOD associated with the requirements for the content
of the annual reports required to be submitted by Federal
agencies?
Is this BOD associated with the requirements for reporting
incidents to the NCCIC?
In fiscal years 2015 and 2016, there were four BODs:
BOD 15-01.--In fiscal year 2015, the DHS Secretary issued the first
BOD, BOD 15-01, Critical Vulnerability Mitigation Requirement for
Federal Civilian Executive Branch Departments and Agencies' Internet-
Accessible Systems. It directs agencies to mitigate critical
vulnerabilities discovered by DHS's NCCIC through the NCCIC's scanning
of agencies' internet-accessible systems. Mitigation is required within
30 days of notification to the agencies of the vulnerabilities
discovered by the NCCIC. DHS assesses the effectiveness of this BOD by
monitoring mitigation time lines.
BOD 16-01.--On June 9, 2016, the DHS Secretary issued BOD 16-01,
Securing High-Value Assets, to require agency participation in risk and
vulnerability assessments as well as security architecture reviews
conducted by DHS on the high-value assets of agencies. It further
requires agencies to mitigate high-priority vulnerabilities discovered
during the risk and vulnerability assessments.
Agencies are required to report to DHS the status of mitigating
each high-priority vulnerability within 30 days of receiving a high-
value asset final assessment report from DHS, and every 30 days
thereafter until all high-priority vulnerabilities have been addressed.
The status report must state that the vulnerability has been mitigated
or explain the constraints preventing mitigation within 30 days and the
steps being taken by the agency to achieve mitigation.
BOD 16-02.--On September 27, 2016, the Secretary issued BOD 16-02,
Threat to Network Infrastructure Devices, to address several urgent
vulnerabilities in network infrastructure devices identified in a NCCIC
Analysis Report. Specifically, it addressed hacking tools targeting
firewalls, Cisco Adaptive Security Appliance, and Cisco ROM Monitor
Integrity. Throughout the directive's reporting period, agencies showed
progress and actively participated in interagency dialog.
BOD 16-03.--On October 17, 2016, the DHS Secretary issued BOD 16-
03, 2016 Agency Cybersecurity Reporting Requirements, to specify
reporting requirements for cyber incidents and the general information
security posture of agencies. FISMA requires agencies to report
cybersecurity incidents to DHS and to provide annual reports to OMB,
DHS, and Congress on the adequacy and effectiveness of information
security policies, procedures, and practices. FISMA further requires
the DHS Secretary to issue one or more BODs specifying requirements for
this reporting.
Question 2a. Under current law, each Federal agency head is
responsible for managing cyber risks to their own networks; however,
these agencies rely heavily on contractors to carry out programs,
activities, and operations.
Does DHS have visibility into how agencies manage the risk of
allowing Federal contractors and other individuals from outside the
organization to access sensitive data on Government networks?
Question 2b. What more could the Government be doing to mitigate
the risk that a virus or other harm will be inflicted unwittingly or
purposely by contractors authorized to access Federal networks?
Answer. The Department of Homeland Security (DHS) generally does
not have visibility into agency risk-management decisions related to
contractor access to information systems. Contractors are subject to
the suitability determinations of individual agencies and, more
generally, the guidelines included in the Federal Acquisition
Regulation. Standardizing the suitability guidelines and raising the
security clearance requirements for contractors that have access and/or
elevated privileges to sensitive and/or mission-critical systems and
data would provide an increased level of assurance of the trust granted
to contractors but would not eliminate the risk. At the same time,
additional requirements would increase entrance-on-duty wait times.
Question 3. I understand DHS and GSA are currently re-competing the
CDM contract, which will expire next years. Is DHS planning to use this
opportunity to make improvements to the CDM program and, if so, what
are the goals?
Answer. Given the dynamic nature of cybersecurity technology and
services, the Department of Homeland Security (DHS) is developing an
acquisition approach for the next set of task orders under CDM DEFEND
(previously described under the response to Question 5) that will allow
for easier execution of contractual actions. DHS expects this approach
will streamline responses to agency cyber needs, including the
procurement of tools, tool maintenance, and ancillary services. Task
orders under CDM DEFEND will be awarded for longer time periods,
allowing awardees an opportunity to become familiar with the agency
environments associated with the task order. This will enhance an
eventual awardee's ability to deliver expanded Continuous Diagnostics
and Mitigation (CDM) capabilities from any of the CDM phases. The goal
is to provide both the CDM program and agencies a flexible task order
that streamlines the ability to deliver CDM functionality based on
evolving threats and agency requirements.
Question 4. The acquisition vehicle for CDM, CMaaS (Continuous
Monitoring as a Service), was awarded in August 2013. Four years later,
Phase 1 of CDM's 4 Phases is still not complete. Given CDM's slow pace,
how does DHS expect it to deal with rapidly-evolving cyber threats?
Answer. Continuous Diagnostics and Mitigation (CDM) Phase 1
identified the complexity of network environments within agencies and
illustrated the true number of assets connected to agency networks.
Overall, this discovery detected 44 percent more assets connected to
agency networks than originally identified by agencies. In some cases,
agencies had more than 200 percent more assets on their networks than
originally identified. By deploying the continuous monitoring tools on
agency networks this year, the Federal Government is gaining greater,
near-real-time awareness of agency environments than has ever existed.
The under-reporting of assets and understanding of the uniqueness
and complexities associated with agency network environments presented
real challenges for the CDM program. As a result, changes had to be
proposed to Phase 1 procurement agency roll-out schedules to address
emerging cyber risks and agency complexities. CDM implementation has
also been dependent on limited labor resources of agencies as well as
the internal processes of agencies to deploy new technologies. An
additional challenge not anticipated was that contractors had to
undergo clearance determinations at both DHS and the agency supported.
The program and agencies alike have benefited from this awareness
and the lessons learned in working to reduce the complexity.
Additionally, as noted in the response to Questions 5 and 17, the next
contract vehicle will provide for flexibility and faster deployments if
an agency is able to support a faster pace. The program will forego the
time and expense of establishing a replacement BPA, and instead
leverage efficiencies established under GSA's Alliant GWAC for CDM
DEFEND.
Question 5. We all know what the bad guys seek to do: Steal or,
perhaps worse, alter data. Data Protection capabilities do not get
rolled out until Phase 4 of CDM. At the current pace, it could be 10
years before CDM completes Phase 4. What efforts, if any, are under way
to accelerate reaching the Data Protection Phase of CDM?
Answer. The President's fiscal year 2017 budget request included
funding for a newly-proposed Continuous Diagnostics and Mitigation
(CDM) Phase 4 to expand the CDM program to include additional tools and
services to protect sensitive and high-value asset data within agency
networks. While not fully funding the requested level, the fiscal year
2017 Consolidated Appropriations Act provided funds to begin the
planning activities necessary to define CDM Phase 4 in preparation for
an acquisition review in late fiscal year 2018.
There are fundamental technical steps that have to be in place
prior to focusing on the data, such as identifying the assurance level
on the user's identity and the degree of hardening and protections
within the infrastructure that holds the data. This is done through the
implementation of key parts of Phases 1, 2, and 3.
The CDM program and its customer agencies have devoted the last 2
years to building out the foundation for all cybersecurity work.
Addressing the ``what is on the network'' (Phase 1) and ``who is on the
network'' (Phase 2) are issues that had been challenging agencies for
more than a decade. CDM has made significant progress in the resolution
of these key capabilities over the past 2 years and can continue to
build on this for ``what is happening on the network'' (Phase 3) and
Phase 4 ``protecting data on the network'' (Phase 4).
Question 6. In light of how rapidly cybersecurity tools are
developed and rolled out, is it possible that the tools being offered
in Phase 1 are already obsolete? What is the mechanism for refreshing
Phase 1 tools?
Answer. The tools provided through Phase 1 of Continuous
Diagnostics and Mitigation (CDM) offer current technology that is
critical to providing the fundamental real-time awareness of what is on
agency networks. The existing mechanism for adding approved products
will continue to ensure that the approved product list is able to
respond to the evolving marketplace. The program plans to continue
using an Approved Products List (APL). The program will only consider
products that have been placed on GSA's Information Technology (IT)
Schedule 70 contracts. The program will perform both conformance and
technical reviews prior to approval. Once approved, vendors will have
the opportunity to submit the product for inclusion on the GSA's newly-
created CDM Special Item Number (SIN), which will provide a contract
solution to maintain and then expand the CDM Product catalog. Open
season periods (available to all GSA IT Schedule holders) will be held
each month to allow for timely refresh. CDM is based on procuring
innovative, commercial-off-the-shelf products. It is important,
however, to be mindful of challenges related to product maturity, as
the CDM program does not want to deploy products that have not been
rigorously coded and tested. Products cannot be added to the CDM SIN
unless a product has been approved by the Program and added to the APL.
Initially, the APL will consist of all CDM products that have been
evaluated and approved on the CMaaS BPA. New products will be
continually added to the APL through a DHS evaluation process that
standardizes the evaluation of products to ensure conformance with DHS
developed criteria. While the DHS PMO will manage the APL, the CDM SIN
(contract administration and execution) will be managed by the GSA IT
Schedule 70 program office.
Question 7. We have heard of situations where an agency buys a
cybersecurity tool but never deploys it, commonly referred to as
``shelfware.'' What options has DHS considered for dealing with this
problem throughout the Federal Government and within its own
components? Are there vehicles--for instance, a CDM Task Order calling
on prime contractors to integrate shelfware--DHS could use to expedite
the deployment of much-needed cyber tools?
Answer. Agencies can consult with the Department of Homeland
Security regarding whether an existing tool, deployed or not, meets
Continuous Diagnostics and Mitigation (CDM) program requirements. CDM
publishes a product catalog through the General Services Administration
(GSA), available on-line, that identifies CDM-approved tools. The CDM
program has provided labor support to agencies who reported they
already had existing products but did not have them deployed. Since
these products were part of the CDM solution, it was deemed in the best
interest of the Government to ensure they did not remain ``shelfware.''
In future phases, CDM will continue to maintain approved product lists
that crosswalk CDM-approved tools to CDM capabilities. Additionally,
CDM will offer contract vehicles that agencies can use to fund
installation, configuration, and integration activities associated with
existing products already procured by agencies that remain compliant
with CDM requirements.
Question 8. From your vantage point, what are the benefits of
utilizing the acquisition innovation approaches, as developed by DHS's
Office of Procurement, for cybersecurity acquisitions?
Answer. The Department of Homeland Security (DHS) is leveraging
new, innovative approaches for cybersecurity acquisitions. For
instance, DHS's Procurement Innovation Lab was used to acquire the
EINSTEIN 3 Accelerated Service Extension contract. This contact was
awarded in record time with a significant negotiated reduction in cost
for the service.
Question 9a. As we learned from the 2015 OPM breach, a successful
intrusion against a Federal network may compromise sensitive data
stored in the recent past as well as data that is several years old. In
fact, many of the victims of the OPM breach had not worked for the
Federal Government in over a decade.
When a DHS employee leaves his or her position, what processes does
DHS follow to ensure that Sensitive but Non-classified information is
protected on that former employees' computer hard drive, cell phone,
badge, and other electronic media?
Answer. Each component is responsible for handling their own check-
out processing. DHS Headquarters (HQ) has an out-processing checklist
for personnel to follow. This includes reminders to turn in cell
phones, laptops, badges, travel cards, etc. For example:
Computer hard drive.--Laptop, desktop, and tablet computers
issued by HQ are asset-tagged items and require the return of
the item when a user departs. DHS HQ rewrites the computer hard
disk drive (HDD) during the imaging process for computers being
reutilized. For computers being decommissioned, the HDD is
removed and shredded by an authorized recycler.
Cell phone.--For all DHS HQ departing users, the cell phone
is retrieved and either factory wiped for reuse or it is
recycled whereby the phone is destroyed by an authorized
recycler.
Other electronic media:
External HDD.--External HDDs issued by DHS OCIO are asset-
tagged items and require the return of the item when a user
departs. DHS OCIO wipes the external HDD if the password is
provided, if no password is provided the external HDD is
shredded by an authorized recycler.
Question 9b. To what extent does DHS promote the adoption of cloud
services, minimizing the amount of data stored on Federal servers, and
proper destruction of hard drives?
Answer. DHS promotes the adoption of cloud services, for data
storage and processing. For instance, DHS is planning to adopt cloud
email, and DHS components have already migrated some information
systems into the cloud. While some specialized applications may need to
continue to remain on servers and hardened systems located in Federal
facilities, DHS and its components should be able to use cloud storage
to minimize the amount of data stored on Federal servers. DHS will
continue its current practice of properly destroying hard drives once
they are no longer needed.
Questions From Honorable James R. Langevin for Jeanette Manfra
Question 1a. In your written testimony, you note that the
Cybersecurity Act of 2015 required the application of available
EINSTEIN protections to all information traveling to or from Federal
information systems by December 2016. While the percentage of traffic
that is monitored has increased significantly, full protection has not
yet been achieved.
What obstacles has NPPD encountered in achieving a full
implementation of this system across all agencies?
Question 1b. How will NPPD address them?
Question 1c. What is the Department's plan for protecting networks
with E3A that are not served by traditional internet service providers?
Answer. The Cybersecurity Act of 2015 directs Federal agencies to
apply and continue to utilize the intrusion detection and prevention
capabilities made available by the Department of Homeland Security
(DHS) to all information traveling between an agency information system
and any information system other than an agency information system.
These intrusion detection and prevention capabilities made available by
DHS are known as EINSTEIN.
Agencies have made significant progress in applying and continuing
to utilize available EINSTEIN protections since the passage of the
Cybersecurity Act of 2015. Prior to passage of the Act, EINSTEIN 3A
protections covered approximately 38 percent of Federal civilian users.
Today, at least one of the EINSTEIN 3A protections are being utilized
by over 90 percent of the Executive branch civilian workforce. This
progress was also supported by engagement from DHS leadership. In May
2016, the DHS Secretary sent a letter sent to his peers at the largest
agencies requesting their full participation in EINSTEIN consistent
with the requirements in law. DHS continues to work with all remaining
Federal civilian agencies to facilitate their full participation in
EINSTEIN. At the same time, DHS is developing new capabilities and
conducting a strategic review of the program architecture in order to
provide even more protections for Federal agencies.
While considerable progress has been made since the passage of
legislation by Congress, there have been some obstacles to achieving
full implementation. For instance, due to unique network architectures,
autonomous components, and variations in internet service providers
(ISPs), large agencies took several weeks or months to fully on-board
all components. At the smaller agencies, while smaller network
footprints and the wide-spread use of managed trusted internet protocol
service make deployment easier, staff resources are limited and
deployment competes with their day-to-day operational requirements and
other cybersecurity initiatives. Among the smaller agencies, DHS
prioritized those that have been proactive and responsive as well as
those with regulatory and mission-critical responsibilities. Agencies
use different ISPs, with various levels of experience on-boarding
agencies, causing a delay for some. Finally, there were technical
challenges with accommodating a large and diverse customer set with
unique network infrastructure and technical concerns, such as Internet
Protocol version 6 and Domain Name System Security Extensions
capabilities, lack of consolidated Domain Name System, and outdated
infrastructure. Many agencies use third-party, cloud-based email
services. DHS may not be able to provision email filtering service for
all of those agencies due to a number of technical challenges; however,
work continues with the agencies and their service providers to
engineer solutions. DHS continues to work closely with agencies to
resolve technical challenges that arise during deployment of EINSTEIN
capabilities.
DHS has contracts with three major ISPs to provide EINSTEIN
services to Federal civilian Executive branch agencies. In some cases,
agencies receive service from an ISP other than one of those major
three. In such cases, DHS competitively awarded a contract to an ISP
that allows those agencies to route their traffic through a capability
that allows them to receive protections as well. This contract and
service is referred to as EINSTEIN 3A Service Extension.
Question 2a. The DHS Continuous Diagnostic and Mitigation program
is a step in the right direction to identify the devices and software
on our Federal networks and to enable timely corrective action.
What metrics has your organization identified for assessing the
effectiveness of these measures?
Question 2b. By what evidence were they selected?
Question 2c. With respect to CDM Phase IV:
What are the goals of Phase IV?
How were those goals selected?
What is the status of Phase IV implementation?
What is the time line for deployment of Phase IV technologies
across the .gov domain?
Answer. The success of the Continuous Diagnostics and Mitigation
(CDM) program will be assessed against several criteria, including the
extent to which Federal agencies use CDM tools, including the Federal
and agency-level dashboards, to prioritize cybersecurity risks and fix
the most significant vulnerabilities first. Additionally, CDM is
looking to achieve a measurable reduction of both the prevalence and
severity of cybersecurity incidents across Government networks, as a
result of the CDM tools deployed. The CDM program is refining how
success is measured and working to define a series of mission outcome
metrics to measure the impact and effectiveness of the program.
The first of these metrics is simply gaining a better understanding
of the total number of assets, or the overall cyber attack surface, in
agency network environments. Through the discovery process of CDM Phase
1, there was an overall approximate 44 percent increase in the total
number of assets on agency networks compared to what agencies had
previously known through manual tracking. In some agencies, the assets
identified were more than 200 percent greater than initially reported.
As CDM tools and technologies are deployed and integrated into the
agency network environments, the agencies will be able to baseline
their initial vulnerability and configuration cybersecurity posture
through their agency dashboard. Likewise, the Federal dashboard will
display cybersecurity posture across the agencies. From that baseline,
agencies and DHS will be able to measure improvements in vulnerability
patching and configuration hardening across the agencies. Already, DHS
has witnessed multiple examples of agencies prioritizing the patching
of critical and high-priority vulnerabilities as they gain better
visibility of their networks with CDM tools. Based on the experience of
agencies with strong continuous monitoring programs, agency cyber
hygiene should improve significantly.
DHS currently measures success of the CDM program through
collection and analysis of agency FISMA submissions. CDM's deployment
of Phase 1 tools resulted in noticeable improvement in performance
measures associated with hardware and software asset management,
configuration management, as well as vulnerability and patch
management. DHS will continue to measure effectiveness of CDM efforts
through continued collection and analysis of FISMA CIO and IG
performance measures.
CDM tools, other DHS capabilities, and risk management will help
agencies Identify, Protect, Detect, Respond, and Recover to cyber
threats. Already, the CDM program is working to develop measures of
system importance to capture a better understanding of the protections
in place for mission-essential and high-value systems. This measure of
impact, along with metrics for addressing boundary protections and data
protections on mobile devices and in the cloud, will allow the Federal
Government to continue to improve at measuring its cybersecurity risk
in real time. These efforts are informed by risk-scoring research done
by NIST, prior risk-scoring frameworks used by the agencies, and
industry risk-scoring approaches.
The President's fiscal year 2017 budget request included funding
for a newly-proposed Continuous Diagnostics and Mitigation (CDM) Phase
4 to expand the CDM program to include additional tools and services to
protect sensitive and high-value asset data within agency networks.
While not fully funding the requested level, the fiscal year 2017
Consolidated Appropriations Act provided funds to begin the planning
activities necessary to define CDM Phase 4 in preparation for an
acquisition review in late fiscal year 2018.
There are fundamental technical steps that have to be in place
prior to focusing on the data, such as identifying the assurance level
on the user's identity and the degree of hardening and protections
within the infrastructure that holds the data. This is done through the
implementation of key parts of Phases 1, 2, and 3.
Question 3a. During your testimony, you noted that two of the
Binding Operational Directives (BODs) were closed and two remain open
to continuing measuring their effectiveness.
What were the closure criteria for BOD-16-02 and BOD-16-03?
When did each agency meet those criteria?
When were the BODs closed?
What is the current percentage of critical vulnerabilities that
remain unmitigated? What percentage of critical vulnerabilities were
left in place with a justification?
Question 3b. What is the current state of implementation of BOD-15-
01 and BOD-16-01?
Question 3c. With respect to implementing all of the BODs:
What are the most and least responsive agencies?
What is the average time for compliance?
Answer. The Secretary of Homeland Security (DHS), in consultation
with the director of the Office of Management and Budget, has the
authority to develop and oversee the implementation of binding
operational directives (BODs). The statute includes specific topics for
BODs, including requirements for reporting security incidents to DHS's
National Cybersecurity and Communications Integration Center (NCCIC),
requirements for the contents of the annual Federal Information
Security Modernization Act (FISMA) reports, requirements for the
mitigation of exigent risks to information systems, and other
operational requirements as the Office of Management and Budget (OMB)
or DHS, in consultation with OMB, may determine necessary.
In fiscal years 2015 and 2016, there were four binding operational
directives:
BOD 15-01.--In fiscal year 2015, the Secretary issued the first
BOD, BOD 15-01, Critical Vulnerability Mitigation Requirement for
Federal Civilian Executive Branch Departments and Agencies' Internet-
Accessible Systems. It directs agencies to mitigate critical
vulnerabilities discovered by DHS's National Cybersecurity and
Communications Integration Center (NCCIC) through the NCCIC's scanning
of agencies' internet-accessible systems. Mitigation is required within
30 days of notification to the agencies of the vulnerabilities
discovered by the NCCIC. DHS assesses the effectiveness of this BOD by
monitoring mitigation time lines. This BOD will remain open given that
vulnerability scanning occurs regularly and is on-going.
BOD 16-01.--On June 9, 2016, the Secretary issued BOD 16-01,
Securing High-Value Assets, to require agency participation in risk and
vulnerability assessments as well as security architecture assessments
conducted by DHS on agencies' high-value assets. It further requires
agencies to mitigate high-priority vulnerabilities discovered during
the risk and vulnerability assessments.
Agencies are required to report to DHS the status of mitigating
each high-priority vulnerability within 30 days of receiving a high-
value asset final assessment report from DHS, and every 30 days
thereafter until all high-priority vulnerabilities have been addressed.
The status report must state that the vulnerability has been mitigated
or explain the constraints preventing mitigation within 30 days and the
steps being taken by the agency to achieve mitigation. This BOD will
remain open given ongoing assessments of high-value assets.
BOD 16-02.--On September 27, 2016, the Secretary issued, BOD 16-02,
Threat to Network Infrastructure Devices, to address several urgent
vulnerabilities in network infrastructure devices identified in a NCCIC
Analysis Report. Specifically, it addressed hacking tools targeting
firewalls, Cisco Adaptive Security Appliance, and Cisco ROM Monitor
Integrity. Throughout the directive's reporting period, agencies showed
progress and actively participated in interagency dialog.
BOD 16-02 required all Federal agencies to perform actions
specified in the NCCIC's Analysis Report within 45 days, to report full
mitigation or a detailed plan of action and milestones, and to provide
monthly updates until full mitigation is achieved. Federal agencies
promptly began taking action by implementing solutions or compensating
controls, and reporting to DHS on a monthly basis. Though not all
agencies have fully mitigated certain vulnerabilities, all have made
significant progress and are reporting status and constraints to DHS as
required. At this time, a very small percentage of potentially impacted
devices have yet to be reported by the agencies as fully mitigated.
BOD 16-03.--On October 17, 2016, the Secretary issued, BOD 16-03,
2016 Agency Cybersecurity Reporting Requirements, to specify reporting
requirements for cyber incidents and the general information security
posture of agencies. The Federal Information Security Management Act of
2014 (FISMA) requires agencies to report cybersecurity incidents to DHS
and to provide annual reports to OMB, DHS, and Congress on the adequacy
and effectiveness of information security policies, procedures, and
practices. FISMA further requires the Secretary to issue one or more
BODs specifying requirements for this reporting. Federal agencies
coordinated with DHS to prepare for the updates to the Federal Incident
Notification guideline changes. The directives in this BOD remain in
effect for the remainder of fiscal year 2017.
Regarding the responsiveness of agencies to requirements of BODs,
all agencies are compliant with the communication requirements and are
responsive to DHS requests for information. Agencies have been making
steady progress toward mitigating vulnerabilities and working to
fulfill the requirements of the BODs. In some cases, certain network
and system constraints have been affecting the time frame for
fulfilling requirements in BODs. Agencies have been working through
such constraints by implementing compensating controls or are working
with their leadership to determine long-term solutions while reporting
status to DHS per the requirements in the BODs. In general, most
agencies have been able to mitigate identified vulnerabilities within
the initial time frames mandated by specific BODs. For the remaining
agencies, all have provided regular updates and are in contact with the
DHS team as they continue to close out remaining actions.
Question 4a. With respect to the issuance of BODs:
Which office(s) generates proposals for BODs?
Question 4b. What criteria are applied to determine whether a BOD
should be issued?
Question 4c. What criteria are applied to determine when a BOD
should be issued?
Question 4d. Is there any interagency consultation before a BOD is
issued? What is the nature of the consultation, if it exists?
Question 4e. Does the Secretary consult with the Office of
Management and Budget before issuing a BOD? Any other component of the
Executive Office of the President?
Question 4f. Has the idea for a BOD ever originated outside of the
Department of Homeland Security?
Answer. The Secretary of Homeland Security (DHS), in consultation
with the director of the Office of Management and Budget, has the
authority to develop and oversee the implementation of binding
operational directives (BODs). The statute includes specific topics for
BODs, including requirements for reporting security incidents to DHS's
National Cybersecurity and Communications Integration Center (NCCIC),
requirements for the contents of the annual Federal Information
Security Modernization Act (FISMA) reports, requirements for the
mitigation of exigent risks to information systems, and other
operational requirements as the Office of Management and Budget (OMB)
or DHS, in consultation with OMB, may determine necessary.
DHS, acting through the National Protection and Programs
Directorate, identifies risks or requirements to be addressed through
BODs. DHS also accepts ideas for potential BODs from entities, such as
the Federal Chief Information Officer (CIO) Council, independent
security researchers, or other partners. As needed, DHS may convene a
group of subject-matter experts from Federal agencies, OMB, and the
National Institute of Standards and Technology (NIST) to consider the
relative merits of particular risks in order to determine the
appropriateness of a given BOD or determine the prioritization of
different BODs.
Generally, when determining whether a certain issue is appropriate
for a BOD, DHS considers the following questions:
Is the proposed BOD related to an active threat? If so, what
is the scope and magnitude of the problem?
Is the proposed BOD related to a potential identified risk?
What category/schedule does the potential BOD fit into
(planned, escalation of issue, or emergency)?
Is this issue specific to a particular Federal agency or
could it be applicable across the civilian Federal Executive
branch?
What is the difficulty to exploit the vulnerability?
Is the issue/subject Sensitive or Classified?
Are external events or threat intelligence driving the need
for or request of the proposed BOD?
Can the proposed BOD be measured and validated by DHS?
Could the issue or threat be addressed satisfactorily and
fully through other mechanisms?
Has DHS socialized the proposed BOD subject with applicable
stakeholders, such as CIO/Chief Information Security Officer
(CISO) councils?
What is the end-state of proposed BOD?
What other operational requirements have been issued by way
of policy, guidance, and standards in relation to this BOD?
Does the BOD address or re-emphasize Federal programs such
as CDM, EINSTEIN, automated indicator sharing (AIS), etc.?
Is this BOD associated with the requirements for the content
of the annual reports required to be submitted by Federal
agencies?
Is this BOD associated with the requirements for reporting
incidents to the NCCIC?
Questions From Honorable Val Demings for Jeanette Manfra
Question 1. What actions is DHS taking to advance the
implementation of CDM tools and capabilities at Federal agencies?
In particular, is the Department providing technical training to
agency system administrators on the use of the CDM tools so they know
how to effectively and optimally use the tools to diagnose and mitigate
vulnerabilities?
Answer. The Continuous Diagnostics and Mitigation (CDM) program
anticipated training requirements for operation and management of
capabilities. Training requirements were included in the contract
solicitation. All CDM integrators are required to provide sufficient
training to enable agencies to transition the CDM tools to agency
operation once the integrator contract is completed.
Funds available for training are limited, and experience is showing
that agencies are requesting more detailed, sustained training options.
As such, one area where additional training is under development is for
the use of the agency dashboard. CDM is developing on-line, hands-on
workshops in fiscal year 2017 to assist agencies with understanding how
to use the CDM agency dashboard. It should be noted that CDM program-
funded training is intended to get agencies transitioned from CDM tool
implementation to agency operations. Cybersecurity operations and
sustainment is ultimately the responsibility of each agency, and it is
the agency's responsibility to engage with DHS to fully utilize
available resources.
Question 2. What feedback mechanism does DHS have for soliciting
and receiving comments from agencies on their experience with the CDM
program?
Based on that feedback, what benefits and challenges have the
agencies identified with the program?
Answer. During the summer of 2016, the Federal Chief Information
Officer (CIO) held a CyberStat on the Continuous Diagnostics and
Mitigation (CDM) program. The CyberStat included program documentation
review, interviews conducted by Office of Management and Budget (OMB)
staff with several agencies, and meetings between the Federal CIO and
the CIO or Chief Information Security Officer (CISO) of each agency.
This CyberStat was a valuable source of feedback. The Federal CIO noted
that ``all participants expressed support for the security objectives
of the program and emphasized their commitment to procuring CDM Phase 1
tools.''
Other benefits included:
Establishing a consistent approach toward information
security continuous monitoring of networks across the Federal
civilian agency enterprise. The Federal Information Security
Management Act FISMA of 2002 requires agencies to provide
security for the networks that support the operations and
assets of their agency. The Federal Information Security
Modernization Act of 2014 reiterates those requirements and
codifies the Department of Homeland Security's (DHS) authority,
in consultation with OMB, to administer the implementation of
information security policies and practices for civilian
agencies. Through CDM, agencies receive a significant
investment by DHS to boost previous efforts and, in many
instances, are able to achieve an internally consistent
enterprise approach, allowing them to leverage similar product
knowledge, subject-matter expertise, and technical support
across the agency.
Pioneering an innovative acquisition approach by combining
agencies into groups for similar requirements and project
efficiencies. By grouping agencies, CDM is achieving economies
of scale and reducing pricing for labor and products. To date,
CDM has achieved cost avoidance of $600 million on products
over the Schedule 70 pricing.
Leveraging a consistent system engineering life cycle,
tailored from DHS.
Establishing an approach toward supply chain risk management
across the Federal civilian Government enterprise. To date, the
program has applied secure delivery controls for well over 1
million products delivered to participating agencies.
Challenges identified by some agencies included issues such as:
Asset and infrastructure gaps, agency governance and management
challenges, integrator project management challenges, training and
knowledge management, entrance on duty requirements, and selection of
tools and requirements. With regard to the identified gaps, agencies
noted that CDM revealed a significant number of new end-points, and
unplanned infrastructure upgrades and modernization may be required to
support new CDM tool deployments. These activities resulted in budget
implications for agencies. Further, since additional end-points were
identified, future-year license maintenance costs will increase, adding
additional pressure to future budgets. Governance challenges include
the need for CIO engagement and leadership with clear project
management. Integrator project management challenges were identified as
requiring proactive engagement and communications with the agencies,
and well-documented plans, schedules, etc. The program worked closely
with each integrator to ensure plans and schedules were clearly
communicated on a timely basis.
The CDM program office has worked with OMB on the next steps,
including implementing improvements and addressing concerns, as
appropriate. Moving forward, CDM has established a Customer Advisory
Forum (CAF) comprised of CISOs, or designees, from each agency in order
to receive feedback on topics of interest and concern. The CAF will
continue to meet on a bi-monthly basis and will serve as the focal
point for interagency collaboration related to CDM planning and
implementation, including customer proposals and adoption,
organizational and technical challenges, acquisition planning, and
capability integration priorities.
Question 3a. GAO made nine recommendations in January 2016 to DHS
to enhance the functionality of the EINSTEIN program.
What is the status of DHS efforts to implement those
recommendations?
Question 3b. When does the Department expect to fully implement
them?
Answer. The nine recommendations made by the Government
Accountability Office (GAO) and a status update for each are provided
below.
Recommendation 1.--``NSD [Network Security Deployment] to determine
the feasibility of enhancing NCPS's [National Cybersecurity Protection
System's] current intrusion detection approach to include functionality
that would detect deviations from normal network behavior baselines.''
The Department of Homeland Security (DHS) concurred with this
recommendation. DHS acknowledges that it must rapidly identify, pilot,
and deploy new technologies and solutions that effectively detect and
block previously unknown threats. DHS continues to conduct an anomalous
analytics capability that directly addresses the recommendation to
``detect deviations from normal network behavior baselines.'' DHS has
determined that the technology and architectural approach to deploying
such a capability within the NCPS is feasible. In order to
operationalize this pilot capability and deliver a production version,
additional contract resources are required.
Recommendation 2.--``NSD to determine the feasibility of developing
enhancements to current intrusion detection capabilities to facilitate
the scanning of encrypted, SCADA, and IPv6 traffic.''
DHS concurred with this recommendation. DHS has been conducting an
analysis on Security on Encrypted Traffic (SonET) to better understand
options for addressing the challenges of encrypted traffic and engaging
with the broader standards community to ensure this is being addressed
at a broader industry level. The SonET analysis study is on-going and
expected to last through the fourth quarter of fiscal year 2017.
DHS continues to discuss SCADA traffic with its ICS-CERT to get a
better understanding of SCADA traffic that passes through network
gateways. These discussions remain on-going.
NCPS intrusion detection (EINSTEIN 1 and EINSTEIN 2) sensors are
capable of scanning Internet Protocol version six (IPv6) traffic. The
NCPS program is continuing to work with the internet service providers
(ISPs) providing NCPS intrusion prevention (EINSTEIN 3) capabilities as
they finalize their plans to fully support IPv6. An implementation plan
that would address all ISP schedules is expected in the third quarter
of fiscal year 7.
Recommendation 3.--``US-CERT to update the tool it uses to manage
and deploy intrusion detection signatures to include the ability to
more clearly link signatures to publicly-available, open-source data
repositories.''
DHS concurred with this recommendation. DHS developed a capability
to meet the spirit of this recommendation, and GAO is working to
formally close out this recommendation.
Recommendation 4.--``US-CERT to consider the viability of using
vulnerability information, such as data from the Continuous Diagnostics
and Mitigation program as it becomes available, as an input into the
development and management of intrusion detection signatures.''
DHS concurred with this recommendation. The data available from the
Continuous Diagnostics and Mitigation (CDM) program will be directly
relevant to prioritization of signatures. The CDM collection sensors
will allow analysts to view software vulnerabilities correlated with
deployments at specific agencies. Based on this information, DHS may
prioritize signature development based on known exposure rates at an
agency to detect instances of intrusions and when possible to block
intrusions. The CDM data may be combined with known vulnerability
findings from DHS's National Cybersecurity and Communications
Integration Center (NCCIC) and known threats to further prioritize
signature development, as necessary. The overall signature development
process and prioritization needs to take into account victim exposure,
threat prevalence, and criticality of vulnerabilities in managing risk.
The data will be viable once CDM is operational and reporting to the
Federal dashboards. As additional CDM data becomes available, DHS will
work with GAO to close out this recommendation.
Recommendation 5.--``US-CERT to develop a time table for finalizing
the incident notification process, to ensure that customer agencies are
being sent notifications of potential incidents, which clearly solicit
feedback on the usefulness and timeliness of the notification.''
DHS concurred with this recommendation. DHS regularly solicits
feedback from Federal agencies on the timeliness and usefulness of
incident reporting. To better support feedback and data quality from
Federal agencies, DHS, in coordination with the Office of Management
and Budget (OMB), has completed updates to the Incident Reporting
Guidelines in order to resolve previously-mentioned process concerns.
New data quality activities are now in place as of January 2017.
Additional updates are under development to add a feature change for
user feedback following incident ticket closure. This feature is
expected to be implemented by October 2017.
Recommendation 6.--``The Office of Cybersecurity and Communications
(CS&C) to develop metrics that clearly measure the effectiveness of
NCPS's efforts, including the quality, efficiency, and accuracy of
supporting actions related to detecting and preventing intrusions,
providing analytic services, and sharing cyber-related information.''
DHS concurred with this recommendation. In general, cybersecurity
metrics remain an area of active research in both Government and
industry, and DHS is exploring opportunities to engage with the
research community as well. DHS continues to develop metrics. Several
output and outcome metrics have been identified. The NCCIC is
continuing to baseline one of the measures related to EINSTEIN 3
Accelerated for a possible fiscal year addition to the Government
Performance and Results Act set of measures.
DHS is working to develop a second set of measures focused on
information sharing. As part of its customer feedback process, DHS is
exploring how its public and private-sector recipients of information
measure the value of cyber threat indicators and defensive measures.
Work on this response is on-going.
Recommendation 7.--``CS&C to develop clearly-defined requirements
for detecting threats on agency internal networks and at cloud service
providers to help better ensure effective support of information
security activities.''
DHS concurred with this recommendation. This recommendation will be
in large part addressed by Continuous Diagnostics and Mitigation (CDM)
Phase 3, which will provide agencies with tools to help them understand
what is happening on their network and identify anomalous activity.
However, DHS's responsibility in Federal cybersecurity is inherently
limited by law and policy. Each agency retains responsibility for
implementing an effective defense-in-depth strategy to protect their
networks. To this end, DHS requires each agency's consent prior to
providing any cybersecurity assistance or services, including CDM and
EINSTEIN.
Recommendation 8.--``NSD to develop processes and procedures for
using vulnerability information, such as data from the CDM program as
it becomes available, to help ensure DHS is using a risk-based approach
for the selection/development of future NCPS intrusion prevention
capabilities.''
DHS concurred with this recommendation. As CDM is focused on
monitoring the internal assets of an agency's network and NCPS's
EINSTEIN is positioned on the external network boundary, combining data
from both programs will allow DHS to understand potentially malicious
activity that cannot be understood by either program in isolation. As
CDM data becomes available, DHS will correlate data from EINSTEIN and
CDM to enhance NCPS's EINSTEIN capabilities, either by enriching
indicators or by identifying future intrusion prevention capabilities.
In preparation of future integration efforts, DHS continues to enhance
the data correlation model of NCPS and CDM. Work is expected to
continue in fiscal year and will be enhanced as more data becomes
available from the CDM program.
Recommendation 9.--``NSD to work with their customer agencies and
the internet service providers to document secure routing requirements
in order to better ensure the complete, safe, and effective routing of
information to NCPS sensors.''
DHS concurred with this recommendation. DHS has been collaborating
with the Federal agencies to address their challenges with routing
traffic through their Trusted Internet Connection (TIC) gateways, to
include development of alternative approaches for routing Government
network traffic more efficiently, while maintaining the DHS-required
situational awareness. The DHS TIC program has been working closely
with OMB to develop a TIC Action Plan outlining the activities and
objectives to develop the next generation TIC Reference Architecture.
This document will serve as the new guidance for agencies on perimeter
security capabilities as well as alternative routing strategies. It is
expected that all Federal agencies will be invited to participate in
this effort, providing feedback on their challenges. At the conclusion
of this effort, OMB will update policy to align with the new TIC
Reference Architecture.
OMB has also been working in parallel on developing cloud policies.
A Security Architecture Tiger Team consists of agency stakeholders,
including DHS, to develop a broader security strategy for agency cloud
adoption. The expectation is that the TIC and cloud policies would be
aligned. In addition, DHS is working to incorporate the alternative
routing strategies approaches into its future technical roadmap.
Also of note, DHS has been working closely with the General
Services Administration (GSA) on incorporating cybersecurity
requirements into the next generation GSA EIS contract (formerly
referred to as Networx 2020). Agencies will use this contract to
procure internet and telecommunications services. By baking in security
requirements for internet service providers and telecommunications
carriers, it should reduce the re-engineering and design efforts
currently burdening the agencies. The second round of evaluations is
currently under way.
Questions From Chairman John Ratcliffe for Gregory C. Wilshusen
Question 1. At the hearing we discussed DHS's NCPS and CDM
programs. What other actions can DHS take to assist Federal agencies
with protecting their information and information systems?
Answer. DHS can enhance or expand its capabilities to share
information on cyber threats with Federal agencies. As we reported in
May 2016, 15 of 18 Federal agencies that we surveyed indicated that a
lack of Government-wide information-sharing mechanisms limited their
ability to identify cyber threats to a great or moderate extent.\1\
DHS, in its role as the Federal civilian interface for sharing cyber
threat indicators and cybersecurity risks among Federal and non-Federal
entities, manages the Automated Indicator Sharing program which was
created to provide real-time sharing of cyber threat indicators and
defensive measures. As we reported in February 2017, DHS officials
stated that seven Federal agencies were connected to the program as of
August 2016.\2\ Expanding this program to all 24 Federal agencies
covered by the Chief Financial Officers Act,\3\ which DHS officials
said they were doing, could improve the cyber threat information
available to those agencies.
---------------------------------------------------------------------------
\1\ GAO, Information Security: Agencies Need to Improve Controls
Over Selected High-Impact Systems, GAO-16-501 (Washington, DC: May
2016). The 18 agencies we surveyed were those departments and agencies
covered by the Chief Financial Officers Act that also reported having
high-impact systems. High-impact systems are those for which the agency
has determined that the loss of the confidentiality, integrity, or
availability of the information or information system could result in
severe or catastrophic harm to the organization's operations, assets,
or personnel.
\2\ GAO, Cybersecurity: DHS's National Integration Center Generally
Performs Required Functions but Needs to Evaluate Its Activities More
Completely, GAO-17-163 (Washington, DC: February 2017).
\3\ The 24 departments and agencies covered by the Chief Financial
Officers Act are the Departments of Agriculture, Commerce, Defense,
Education, Energy, Health and Human Services, Homeland Security,
Housing and Urban Development, the Interior, Justice, Labor, State,
Transportation, the Treasury, and Veterans Affairs; the Environmental
Protection Agency, General Services Administration, National
Aeronautics and Space Administration, National Science Foundation,
Nuclear Regulatory Commission, Office of Personnel Management, Small
Business Administration, Social Security Administration, and U.S.
Agency for International Development.
---------------------------------------------------------------------------
DHS can also issue binding operational directives that require
agencies to take specific actions to safeguard Federal systems and
information from a known or reasonably-suspected information security
threat, vulnerability, or risk. The Federal Information Security
Modernization Act of 2014 (FISMA)\4\ authorizes the Secretary of
Homeland Security to administer the implementation of agency
information security policies and practices for information systems,
including developing and overseeing the implementation of binding
operational directives. The directives are compulsory directions to an
agency to implement policies, standards, and guidelines developed by
the Director of the Office of Management and Budget and can include
requirements for the mitigation of exigent risks to information
systems. As of March 2017, 27 months after receiving this authority,
DHS has issued four directives.
---------------------------------------------------------------------------
\4\ (Pub. L. No. 113-283, Dec. 18, 2014).
---------------------------------------------------------------------------
In addition, DHS can provide operational and technical assistance
to agencies in implementing policies, principles, standards, and
guidelines on information security by developing and conducting
targeted operational evaluations, including threat and vulnerability
assessments, on the agencies' information systems. Authorized by FISMA,
these assessments can provide agencies with information on how to
harden their security and identify the signs that an attacker is on
their network.
Further, DHS can continue to participate in CyberStat reviews. As
explained in my written testimony statement, these reviews are in-depth
sessions with National Security Staff, OMB, DHS, and an agency to
discuss that agency's cybersecurity posture and opportunities for
collaboration. According to OMB, these interviews are face-to-face,
evidence-based meetings intended to ensure that agencies are
accountable for their cybersecurity posture. The sessions are to assist
the agencies in developing focused strategies for improving their
information security posture in areas where there are challenges.\5\
---------------------------------------------------------------------------
\5\ GAO, Information Security: DHS Needs to Continue to Advance
Initiatives to Protect Federal Systems, GAO-17-518T (Washington, DC:
March 2017).
---------------------------------------------------------------------------
Question 2. What does DHS need to consider to ensure CDM objectives
and requirements keep pace with the rapidly-evolving nature of cyber
threats?
Answer. DHS needs to consider the adaptability and flexibility of
the tools and services it offers to agencies under the CDM program. The
program is to provide agencies with the tools and services to identify
cybersecurity risks on an on-going basis, prioritize these risks based
on potential impacts, and enable cybersecurity personnel to mitigate
the most significant problems first. CDM tools include sensors that
perform automated searches for known cybersecurity vulnerabilities, the
results of which can feed into a dashboard that alerts network
managers. Because of the rapidly-evolving nature of cyber threats and
the continual discovery of new vulnerabilities in information systems,
DHS needs to ensure that CDM tools can be refreshed or updated on a
regular basis to reflect the current state of cyber threats and
vulnerabilities. Associated with this capability is the need to ensure
that there is a mechanism for delivering system updates to the tools
that have been deployed at Federal agencies.
In addition, as we recommended in January 2016, DHS should consider
the viability of using vulnerability data garnered through the CDM
program as it becomes available as an input into the development and
management of intrusion detection signatures for the EINSTEIN intrusion
detection/intrusion prevention system. DHS concurred with our
recommendation and indicated that it was working to implement this
recommendation.
Question 3. One of the priorities of this committee is to ensure
the Federal Government is effectively leveraging innovative
cybersecurity technologies. The private sector today is able to readily
leverage the latest security services through commercial cloud
capabilities. What role should DHS play in helping Federal agencies
consider and potentially migrate to the cloud?
Answer. As one of three members of the Federal Risk and
Authorization Management Program's (FedRAMP)\6\ Joint Authorization
Board, the DHS Chief Information Officer (CIO) plays a key role in
helping Federal agencies consider and potentially migrate to the cloud.
The board defines and establishes the FedRAMP baseline system security
controls and the accreditation criteria for third-party assessment
organizations. The DHS CIO and other board members help ensure that
baseline security controls are incorporated into consistent and
repeatable processes for security assessment and authorizations of
cloud service providers. In this way, the DHS CIO helps agencies
achieve a level of assurance regarding the security controls
implemented by cloud service providers that receive a board provisional
authority to operate.
---------------------------------------------------------------------------
\6\ FedRAMP is a Government-wide program intended to provide a
standardized approach to security assessment, authorization, and
continuous monitoring for cloud computing products and services.
---------------------------------------------------------------------------
In addition, DHS can assist agency migration to the cloud by:
assisting Government-wide and agency-specific efforts to
provide adequate, risk-based, and cost-effective cybersecurity;
coordinating cybersecurity operations and incident response;
developing continuous monitoring guidelines for on-going
cybersecurity of Federal information systems; and
developing guidance on agency implementation of the Trusted
Internet Connection program \7\ with cloud services.
---------------------------------------------------------------------------
\7\ The Trusted Internet Connection program is intended to improve
security by reducing and consolidating agency external network
connections and by providing centralized monitoring at a select group
of access providers.
---------------------------------------------------------------------------
Questions From Honorable James Langevin for Gregory C. Wilshusen
Question 1. In your written testimony you spoke to the challenges
that DHS has in securing and defending the .gov domain.
Are these issues driven by a lack of authority, resources, or
execution?
Answer. DHS efforts in securing and defending the .gov domain have
been hampered, in part, by execution shortfalls. For example, as we
reported in January 2016, DHS's National Cybersecurity Protection
System (NCPS) was partially, but not fully, meeting its stated
objectives. The system's ability to detect potentially malicious
activity entering or exiting computer networks at Federal agencies was
limited because DHS did not design the system to: (1) Monitor all types
of network traffic, (2) detect variations from pre-defined baselines of
normal network activity, or (3) detect malicious traffic that exploits
many common security vulnerabilities.
In addition, the Department had not implemented an effective
information-sharing mechanism for alerting agencies to potentially
malicious traffic entering their networks or for receiving feedback on
the usefulness of the alerts. DHS also had not developed or provided
guidance to agencies on how to route network traffic securely through
the NCPS's sensors, resulting in some network traffic bypassing the
sensors. As a result of these execution shortfalls, DHS had limited
assurance that the system could be effective in securing and defending
the .gov domain.
Question 2. What executive or legislative measures can be taken to
ensure that we have adequate talent within the Government to address
the increasing cyber threat?
Answer. Several Executive branch initiatives have been launched and
Federal laws enacted that address the Federal cybersecurity workforce.
For example, in July 2016, the Office of Personnel Management and the
Office of Management and Budget issued a strategy with goals, actions,
and time lines for improving the cybersecurity workforce. In addition,
laws such as the Federal Cybersecurity Workforce Assessment Act of 2015
require agencies to identify IT and cyber-related positions of greatest
need. Further, other on-going activities have the potential to assist
agencies in developing, recruiting, and retaining an effective
cybersecurity workforce. For example:
Promoting cyber and science, technology, engineering and
mathematics (STEM) education.--A center funded by DHS developed
a kindergarten to 12th grade-level cyber-based curriculum that
provides opportunities for students to become aware of cyber
issues, engage in cyber education, and enter cyber career
fields.
Cybersecurity scholarships.--Programs such as Scholarship
for Service provide tuition assistance to undergraduate and
graduate students studying cybersecurity in exchange for a
commitment to Federal service.
National Initiative for Cybersecurity Careers and Studies.--
DHS, in partnership with several other agencies, launched the
National Initiative for Cybersecurity Careers and Studies in
2013 as an on-line resource to connect Government employees,
students, educators, and industry with cybersecurity training
providers across the Nation.
If effectively implemented, these initiatives, laws, and activities
could further agencies' efforts to establish the cybersecurity
workforce needed to secure and protect Federal IT systems.
Question 3. What specific challenges does DHS face in protecting or
assisting the protection of .gov assets that are owned by other
agencies?
Answer. One of the challenges DHS may face in protecting or
assisting the protection of .gov assets that are owned by other
agencies is having limited insight into what .gov assets the agencies
actually own. Agencies may not have complete inventories of the
hardware, software, and firmware on their networks. Additionally, if
the agencies do have such inventories, they may be reluctant to share
them with DHS.
Another challenge is that DHS may lack visibility into the
architecture and structure of the agencies' computing environments,
networks, and interconnections with other networks. Agencies may not be
willing to allow DHS access to scan and monitor their internal networks
thereby limiting DHS's capability to have first-hand knowledge of the
security configurations of the networks.
Questions From Chairman John Ratcliffe for Chris Jaikaran
Question 1. At the hearing we discussed DHS's NCPS and CDM
programs. What other actions can DHS take to assist Federal agencies
with protecting their information and information systems?
The National Cybersecurity Protection System (NCPS) monitors and
analyzes traffic between the public internet and agency networks. With
certain tools, NCPS may also block malicious internet traffic. The
Continuous Diagnostics and Mitigation (CDM) program scans agency
networks to discover what is operating on those networks and
information about those devices. The results of those scans are
combined with threat intelligence to assist system administrators in
prioritizing which updates to apply and on Congressional Research
Service which systems to focus. Actions that DHS may take to assist
Federal agencies with protecting their information and information
systems may be considered under two constructs: What the Department may
do under existing law; and those for which the Department would need
additional Congressional support to perform (either in resources or
authorization).
First, under existing authorities and resources, DHS has options to
further assist agencies. DHS was granted authorities under the National
Cybersecurity Protection Act of 2014 (Pub. L. 113-282) and the
Cybersecurity Act of 2015 (Pub. L. 114-113) to provide technical
assistance, incident response, and information-sharing capabilities to
both Federal and non-Federal entities. The Federal Information Security
Modernization Act (Pub. L. 113-283, otherwise known as FISMA) provided
further guidance on the scope and type of technical assistance DHS may
provide to Federal entities. Such assistance may include conducting
evaluations of agency networks to determine how vulnerable systems are,
analyzing data on agency networks, and providing technologies to
mitigate threats with or without reimbursement. FISMA further allows
DHS to issue binding operational directives (BODs). BODs are memoranda
from the Secretary of Homeland Security to other Department and agency
heads compelling them to take action to secure information technology
systems. DHS may exercise any of these authorities with greater
frequency or through novel approaches to further assist agencies. For
instance, DHS may opt to issue BODs for a greater number of security
purposes. However, depending on the type of activity required by that
BOD, DHS may lack a way of independently verifying agency compliance
with the required action. Without that verification and subsequent
reporting to OMB on compliance future BODs run the risk of being
ignored by the agencies. DHS could alternatively opt to prioritize on-
site technical assistance to Federal agencies so the agency may use
analysts to hunt for and identify security vulnerabilities and develop
a custom plan to address those vulnerabilities. However, prioritizing
these types of services to Federal agencies could result in fewer of
these types of services being available for the private sector, because
DHS has a limited number of teams (the DHS fiscal year budget
justification requested additional funds for more teams).\1\
---------------------------------------------------------------------------
\1\ Jeh Johnson, ``Remarks by Secretary of Homeland Security Jeh C.
Johnson on the State of Homeland Security,'' speech, February 11, 2016,
at https://www.dhs.gov/news/2016/02/11/remarks-secretary-homeland-
security-jeh-c-johnson-state-homeland-security.
---------------------------------------------------------------------------
Options exist which would require additional Congressional action
for DHS to provide further assistance to agencies. FISMA allows for DHS
to provide technologies to mitigate threats to agencies with or without
reimbursement. To date, DHS provides monitoring of traffic coming in
and out of agency networks, but not for system activity inside the
external perimeter of an agency network. DHS's CDM program discovers
end-points and vulnerabilities on end-points inside that perimeter, but
does not look for malicious activity on-going inside the network.
Discovering malicious activity inside an agency's network may be an
area where DHS can expand its portfolio of protection technologies-
borrowing from the NCPS and CDM models to build and procure tools, and
manage the deployment and operations of those tools once installed at
agencies. Alternatively, DHS could spend additional resources and
bolster the programs they currently operate. A criticism of NCPS is
that it is a signature-based system; The system relies on having
previously seen an indicator of the bad traffic before taking action.
DHS is currently conducting a pilot program on non-signature-based
solutions for NCPS.\2\ Additional resources could be applied to expand
this program so that a greater number of agencies may more rapidly take
advantage of it.
---------------------------------------------------------------------------
\2\ Jeanette Manfra, ``Regarding Federal Network Cybersecurity,''
written testimony, March 28, 2017, at http://docs.house.gov/meetings/
HM/HM08/20170328/105778/HHRG-115-HM08-Bio-ManfraJ-20170328.pdf.
---------------------------------------------------------------------------
Question 2. What does DHS need to consider to ensure that CDM
objectives and requirements keep pace with the rapidly-evolving nature
of cyber threats?
Answer. CDM uses tools that scan agency networks for end-points
running on those networks, identify vulnerabilities inherent on those
end-points (such as running an outdated version of software), and
display those results on a dashboard for system administrators to
analyze. The results of the scans are then coupled with threat
intelligence to determine which vulnerabilities are under exploit,
which provides system administrators with a way to prioritize their
greatest risks for remediation. CDM allows system administrators to
address the vulnerabilities on their systems, informed by, but agnostic
to, what threat actors are doing or motivated by. CDM helps system
administrators discover what vulnerabilities are on their system, but
does not address concerns of how hackers exploit those vulnerabilities
or which systems hackers are likely to target. Because the program is
internal-looking, the evolving nature of threats is an indirect
concern. CDM is a program that focuses more on ensuring systems are as
secure and resilient as they can be, regardless of what threats exist.
While the CDM program as a whole is threat-agnostic, the benefit
the dashboard provides to system administrators (both informing them of
their vulnerabilities and alerting them to vulnerabilities under
exploit by adversaries) is concerned with evolving threats. Ensuring
that threat analytics remains a part of the CDM program, and can be
displayed in a way to system administrators so that they can easily
prioritize limited resources to remediating the greatest risks, is a
key element of the program. DHS could seek to bolster relationships
with the intelligence community and security researchers so that the
National Cybersecurity and Communications Integration Center (NCCIC)
maintains situational awareness of evolving threats and how those
threats are being implemented. Once the organization has knowledge of
those threats, they could then integrate that information into CDM to
reach Federal agencies. Additionally, DHS could purchase cyber threat
indicators from security companies to include in their in-house threat
reporting and to inform the CDM program about which vulnerabilities are
of greatest risk.\3\
---------------------------------------------------------------------------
\3\ ``Cyber threat indicator'' is defined in the Cybersecurity
Information Sharing Act of 2015, in 6 USC Sec. 1501 (6).
---------------------------------------------------------------------------
DHS operates other programs that are more concerned with threats.
Understanding threat actors, their motivations, their targets, and
their techniques helps DHS produce relevant mitigation strategies to
share with agencies and critical infrastructure entities. One potential
limitation of CDM arises if the program identifies a vulnerability
under active exploit by a threat actor, but the vendor who provided the
product has not produced a patch for the vulnerability. In an instance
like this, DHS's tools would likely be able to identify the weakness
but not provide a recommendation for securing it. Instead, DHS may
resource a team to develop other mitigating strategies that agencies
may deploy in the interim--so as to provide the vulnerable agency with
positive actions they may undertake to shore up their security.
Question 3. One of the priorities of this committee is to ensure
the Federal Government is effectively leveraging innovative
cybersecurity technologies. The private sector today is able to readily
leverage the latest security services through commercial cloud
capabilities. What role should DHS play in helping Federal agencies
consider and potentially migrate to the cloud?
Answer. Through the use of cloud-enabling technologies, entities
may take advantage of a provider's processing power, storage capacity,
or a combination of both to add additional capacity, capability, or
flexibility to their own information technology systems. Cloud
providers furnish computing services to customers through one of three
service models:\4\
---------------------------------------------------------------------------
\4\ Peter Mell and Timothy Grance, ``The NIST Definition of Cloud
Computing,'' Special Publication 800-145, September 2011, at http://
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
---------------------------------------------------------------------------
1. Infrastructure as a Service.--In this model the cloud provider
provides the hardware and network connection for their
customer, who in turn installs and maintains the applications
on those servers to meet their needs. Products in which
customers rent processing power or storage from a provider are
examples of Infrastructure as a Service.
2. Platform as a Service.--In this model the cloud provider
provides the hardware, connectivity, and underlying appliance
onto which customers move their data. Products which provide
databases or provide a development environment are examples of
platform as a service.
3. Software as a Service.--In this model the cloud provider
provides the hardware, connectivity, and software to the
customer, along with management of the service. Products in
which a customer only needs a user name and password because
the entire user interface, application, and back-end are
provided on-line are examples of Software as a Service.
Cloud environments can be public (i.e., leasable through the
internet), or private (i.e., built and managed in-house or by a
partner) and accessible without a connection to the public internet, or
a combination of the two.\5\ There have been previous attempts to
assist agencies in shedding their current, in-house system architecture
and migrate to cloud providers.\6\
---------------------------------------------------------------------------
\5\ Ibid.
\6\ Vivek Kundra, ``Federal Cloud Computer Strategy,'' strategy,
February 8, 2011, at https://www.dhs.gov/sites/default/files/
publications/digital-strategy/Federal-cloud-computing-strategy.pdf.
---------------------------------------------------------------------------
DHS currently plays a role in assisting agencies in their migration
to cloud technology through FedRAMP. FedRAMP is a Federal program run
out of GSA which examines public cloud providers and assesses their
security in order to assist agencies in choosing a cloud provider and
using their services. DHS is a member of the FedRAMP Joint
Authorization Board (JAB), which provides preliminary authorization for
cloud providers to offer services through FedRAMP, and helps in the
governance and operations of the FedRAMP program.\7\ In addition to
being on the JAB, DHS provides expertise and assistance to the GSA in
the management of the program.
---------------------------------------------------------------------------
\7\ www.fedramp.gov.
---------------------------------------------------------------------------
As agencies consider moving to cloud architecture, they consider
their level of risk exposure under their current architecture, their
risk exposure by moving to a cloud provider, and weigh the benefits and
costs to the migration. DHS may assist agencies in understanding their
own risk by performing technical evaluations of their security posture
and providing intelligence analysis on threats the agency may face for
the mission they perform or the data they store. Possessing this
information, agencies may be better-informed in understanding the risks
and plotting their future system architecture.
Alternatively, DHS may coordinate agency activities to migrate to
cloud infrastructure. Under current authorities, DHS may coordinate
information security operations across Government agencies to ensure
effective implementation.\8\ DHS may compile a series of case studies
and recommendations based on agency migrations to cloud providers to
assist other agencies in evaluating their potential migration to the
cloud.
---------------------------------------------------------------------------
\8\ 44 U.S.C. Sec. 3553 (b).
---------------------------------------------------------------------------