- Home
- Agencies
- Department of Agriculture
- Department of Housing and Urban Development
- General Services Administration
- Department of Commerce
- Department of the Interior
- National Aeronautics and Space Administration
- Department of Defense
- Department of Justice
- National Science Foundation
- Department of Education
- Department of Labor
- Office of Personnel Management
- Department of Energy
- Department of State
- Small Business Administration
- Environmental Protection Agency
- Department of Transportation
- Social Security Administration
- Department of Health and Human Services
- Department of the Treasury
- U.S. Agency for International Development
- Department of Homeland Security
- Department of Veterans Affairs
- Goals
- Initiatives
- Programs
Primary tabs
Danny TolerDirector, Network Security Deployment, Office of Cybersecurity and CommunicationsDHS, NPPD
FY 16-17: Agency Priority Goal
Improve Federal Network Security
Priority Goal
Goal Overview
The 2014 Quadrennial Homeland Security Review and the FY14-18 DHS Strategic Plan recognizes the continuing need to secure the federal civilian executive branch agencies’ information technology (IT) networks and systems. By law, each head of a federal department or agency is primarily responsible for their agency’s own cybersecurity. The Department of Homeland Security has overall responsibility for protecting federal civilian executive branch systems from cyber threats, helping agencies better defend themselves, and providing response teams to assist agencies during significant incidents. There is no one “silver bullet” for cybersecurity. The key is to install multiple layers of protection to best secure federal networks.
DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is the U.S. government’s 24/7 hub for cybersecurity information sharing, incident response and coordination. The NCCIC shares information on cyber threats and incidents, and provides on-site assistance to victims of cyberattacks. The NCCIC is also where DHS manages the EINSTEIN system, the first basic layer of protection DHS provides at the network perimeter of each federal civilian executive branch agency. While there are three parts to the EINSTEIN set of capabilities, the focus is currently on the deployment of the third phase, known as EINSTEIN 3 Accelerated (E3A), which has the capacity to identify and block known malicious traffic.
DHS also helps federal agencies identify and fix problems inside their networks in near real-time using the Continuous Diagnostics and Mitigation program (CDM). Once fully deployed, CDM will constantly scan agency networks for vulnerabilities that bad actors could exploit if they did breach an agency’s perimeter. The CDM Program consists of three phases that are currently in various stages of availability to federal civilian executive branch agencies. The first phase of CDM focuses on “What is on the Network,” specifically asset management. This includes hardware and software assets, managing configuration settings, and vulnerabilities, all of which are foundational capabilities to protect systems and data. Phase 2 (“Who is on the Network”) covers user account and network privilege management; and Phase 3 (“What is Happening on the Network”) covers boundary protection, event management and security lifecycle management.
As of October 1, 2015, DHS has delivered the first phase of CDM to the 23 civilian Chief Financial Officer (CFO) Act agencies, covering 97 percent of the federal civilian Executive Branch government. These agencies are expected to deploy these CDM tools on their networks within the fiscal year.
Information sharing is also fundamental to achieving cybersecurity. The NCCIC shares information on cyber threats, vulnerabilities and incidents. In order to sufficiently address the rapidly evolving threats to our cyber systems, DHS and its partners must move beyond information sharing methods that are overly reliant on manual processes to be able to share cyber information in as close to real-time as possible. DHS is pursuing an aggressive schedule to deploy one of its next-generation information sharing techniques. The Department has an automated system in place to share cyber threat indicators, and DHS will extend this capability across the federal government and to the private sector, so that the larger community can send and receive threat indicators in near real-time.
This goal aligns with Administration cybersecurity priorities. The goal was established in coordination with OMB policies and guidance, to include the Cybersecurity Strategy and Implementation Plan (CSIP), the Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements, and the Cybersecurity CAP goal.
Strategies
Cybersecurity is a top priority for the Department of Homeland Security. Federal civilian executive branch cybersecurity is not where it needs to be, and DHS will undertake several initiatives to improve the government’s cybersecurity.
First, DHS will expedite the delivery of CDM services and tools to federal civilian executive branch agencies. This includes the program’s second phase, which will strengthen agencies’ ability to manage network access, including the application of technologies to prevent the theft and unauthorized use of agency user credentials on IT systems. The CDM program will also supplement this effort by incorporating the agencies’ effective onboarding processes along with requisite security training to develop a comprehensive view of the people authorized on the network. Just as CDM will increase federal agencies’ internal security protections, the Department cannot lose sight of how important defense-in-depth is to federal cybersecurity. Therefore, as a second initiative, DHS is accelerating the availability of E3A to all federal civilian executive branch agencies during FY16. The Department will identify and undertake opportunities to expedite the availability of at least one E3A countermeasure for each agency.
Third, while the Department has an automated system in place to share cyber threat indicators, and DHS is extending this capability across the federal government and to the private sector, the indicators received through this capability will only be as good as the content contributed to it. Over the next two years, the Department’s components that have cybersecurity or cyber law enforcement roles, such as the National Protection and Programs Directorate, the U.S. Coast Guard, the DHS Chief Information Officer, the United States Secret Service and Immigration and Customs Enforcement, will increase their participation in this automated system.
Fourth, in addition to providing on-site incident response assistance to federal, state and local agencies and to private companies operating critical infrastructure, the NCCIC offers services to enhance an organization’s cybersecurity before an incident occurs. The NCCIC also offers Risk and Vulnerability Assessments on the cybersecurity posture of agency networks. Using commercial best practices and the integration of threat intelligence, the NCCIC offers these cybersecurity assessments to federal agencies, which result in risk management guidance and recommendations. A series of services are available through the assessments, such as vulnerability scanning, penetration testing, social engineering, wireless discovery, web application scanning and testing, database scanning, and operating system scanning. Over the next two years, the Department will increase the number of assessments it provides to federal agencies.
Progress Update
Continuous Diagnostics and Mitigation (CDM): The CDM Program has delivered the remaining Phase 1 (asset management) tools to the final group of participating federal civilian executive branch agencies. The final award for the remaining Phase 2 tools was to have been complete in Q4 FY 2016, however, that procurement was delayed due to a protest. The final portion of Phase 2 is expected to be delivered to the remaining Phase 2 agencies in Q1 FY 2017. Once the final group of Phase 2 tools is delivered, DHS will meet its original FY 2016 target of 100%.
National Cybersecurity Protection System (NCPS): By the end of Q4 FY 2016, 47 additional federal, civilian executive branch Chief Financial Officer (CFO) Act Department and Agency (D/As) entities were brought on to E3A services. Cumulatively, these D/As represent approximately 1.5 million users, or 80% of the CFO Act agencies .gov user population under the updated methodology.
Several factors influenced the FY 2016 target participation rate. The revision of the EINSTEIN Memorandum of Agreement resulted in delayed deployment of D/A entities with statutory responsibility for collecting statistical information and applying special handling instructions. In addition, phased deployments of large agencies separately over periods of several weeks or months due to network architecture, sub-component autonomy, and variations in services currently available from Internet Service Providers (ISPs) extended the time and resources needed to deploy E3A resources.
Automated Indicator Sharing (AIS): In this quarter, the Department of Homeland Security (DHS) Security Operations Center (SOC) successfully completed its connection to the automated indicator sharing server hosted by the National Cybersecurity and Communications Integration Center (NCCIC), allowing them to retrieve cyber threat indicators and defensive measures at machine-to-machine speed. The cyber threat information will be shared to other DHS components according to current DHS SOC methods. Progress has been slower than expected in implementing and testing connectivity with other DHS components. NCCIC will support the DHS SOC as it expands sharing and increases automation among the DHS components. DHS expects to meet the FY 2017 goal of 10 components participating in automated indicator sharing.
Risk and Vulnerability Assessments (RVAs): DHS Cybersecurity Risk and Vulnerability Assessments (RVA) test an organization's ability to defend itself from malicious cyber-attacks. The RVA is a critical element in Federal cybersecurity and is a cost-effective means to prevent a cyber incident. This measure quantifies the number of unique Federal agencies that received RVAs. Throughout FY 2016, requests for assessments grew drastically, and the program continued to grow in capacity. The program completed this high volume of assessments through surge capacity contracting and re-allocation of funds from other mission areas. During the 2nd quarter of FY 2016, the Office of Management and Budget (OMB), the National Security Council (NSC), and DHS leadership directed the program to reprioritize RVA resources toward high value assets (HVAs) and CFO Act agencies. This reprioritization led the program to complete 51 total assessments to ensure the security of HVAs, but left other agencies unassessed.
Next Steps
Continuous Diagnostics and Mitigation (CDM): The CDM Program Management Office continues to work with participating agencies to make sure that their Phase 1 and Phase 2 requirements are satisfied. CDM is also working closely with the General Services Administration’s (GSA) Federal Systems Integration and Management Center (FEDSIM), which serves as the program’s contracting office for assisted acquisitions, in order to minimize delays and expedite implementations. In particular the CDM Program Office is working with GSA to resolve the pre-award protest that delayed the final delivery of CDM Phase 2 tools to participating agencies. The PMO has initiated Phase 3 (what is happening on the network) pre-solicitation planning and other activities.
.
National Cybersecurity Protection System (NCPS): The Federal Cybersecurity Enhancement Act (FCEA) requires all agencies to apply and continue to utilize all phases of EINSTEIN by December 18, 2016. DHS has made EINSTEIN capabilities available through the relevant internet service providers and will provide associated support for agencies to meet this deadline. However, it is incumbent upon each agency to take necessary steps to join the program. DHS cannot mandate that agencies expedite their participation; however, DHS has taken steps to expedite deployment efforts by negotiating earlier deployment dates for D/A entities eager to participate. There has also been a surge in momentum from D/A entities to participate as a result of the Secretary of Homeland Security’s letter to agency heads that was sent out in late May, which encouraged agency heads to direct their respective entities to contact DHS to implement EINSTEIN services so that they would be in compliance with the December 18, 2016 deadline established by FCEA.
Over the last fiscal year, DHS addressed some known various sources of potential delay to the deployment of E3A. This included solidifying the EINSTEIN memorandum of agreement to participate in the program and the Secretary of Homeland Security sending a letter to agency heads in late May to encourage them to direct their respective entities to implement EINSTEIN services. Additionally, based on information gathered during FY 2016, DHS can now better estimate the time and resources needed to deploy E3A resources. While the Q4 FY 2016 result narrowly missed the Agency Priority Goal (APG) target, as of October 14, 2016, DHS exceeded its FY 2016 target, and is now covering 87%, or approximately 1.7 million, of the CFO Act D/A .gov user population with at least one E3A countermeasure. DHS is continuing to work with the remaining CFO Act Agencies to deploy E3A services, and the final results will be reported in the Q1 FY 2017 submission.
Automated Indicator Sharing (AIS): The NCCIC will support the DHS SOC in increasing automation across other DHS components, including installation of automated indicator sharing (AIS) client software and will work with the DHS SOC team to support sharing of indicators generated from the DHS enterprise into AIS for broader dissemination to Federal, private sector and state/local customers. Below are the planned next steps for AIS in FY 2017:
• Q1 – DHS leadership provide direction to DHS components to implement AIS software at component SOCs
• Q2 – test and demonstrate automated sharing of indicators with three additional DHS components
• Q4 - test and demonstrate automated sharing of indicators with all DHS components
Risk and Vulnerability Assessments (RVAs): Due to the reprioritization of RVA resources toward HVAs, DHS failed to meet its target of providing one annual RVA for all cabinet level agencies and one third of all non-cabinet level agencies. DHS will continue to prioritize RVAs as directed by leadership.
DHS will bring on additional assessment teams, deployment kits and an improved analysis lab in order to meet leadership priorities. The timing to accomplish these actions is dependent on an expanded budget to be available following the Continuing Resolution (CR). Below are the planned next steps for RVAs in FY 2017 pending a new budget appropriation:
• Q1 –The program will continue to assess federal agencies at the rate of roughly 7 per quarter, with a focus on agencies with high value assets.
• Q2 – When increased FY 2017 funds are available the program will procure additional deployment kits to expand capacity and initiate hiring actions.
• Q3 – Expand facilities, and increase new personnel. There is a significant lag in onboarding personnel due to the requirement for Top Secret clearance.
• Q4 – New personnel complete initial training and are available to expand assessment team roster. Capacity is planned to be 10 agencies per quarter by the end of FY 2017.
Expand All
Performance Indicators
Percent of DHS cybersecurity and cyber law enforcement components participating in automated indicator sharing
Percent of annual assessments completed for twenty-three cabinet level agencies and one-third of all non-cabinet level agencies
Percent of participating federal, civilian executive branch agencies for which Phase 3 continuous diagnostics and mitigation tools have been delivered
Percent of federal, civilian executive branch personnel for whom EINSTEIN intrusion prevention system coverage has been deployed
Percent of participating federal, civilian executive branch agencies for which Phase 1 and 2 continuous diagnostics and mitigation tools have been delivered
Contributing Programs & Other Factors
The Cybersecurity & Communications (CS&C) program administers the Continuous Diagnostics and Monitoring (CDM) and the EINSTEIN acquisitions that provide the technological foundation that enables DHS to secure and defend the federal civilian government’s information technology infrastructure against advanced cyber threats. Additionally CS&C provides risk and vulnerability assessments on the cybersecurity posture of stakeholders’ networks.
DHS Components: NPPD manages the automated sharing environment that enables DHS Components to receive and share threat indicator information in near real time to expedite threat detection and blocking. Multiple DHS Components participate in this automated sharing environment to exchange vital and timely information on cyber threats.
GSA: The Federal Systems Integration and Management Center (FEDSIM) administers the contract vehicles through which federal departments and agencies acquire continuous monitoring and diagnostic tools through DHS.
Non-defense CFO Act agencies and an additional 41 non-CFO Act agencies: The 23 non-defense CFO Act agencies and an additional 41 non-CFO Act agencies integrate and deploy the DHS delivered continuous diagnostic and monitoring tools on their respective networks.
Strategic Objectives
Strategic Objective:
Goal 4.2: Secure the Federal Civilian Government Information Technology Enterprise
Statement:
Secure the Federal Civilian Government Information Technology Enterprise
Description:
The Federal Government provides essential services and information on which many Americans rely. Not only must the government protect its own networks, it must serve as a role model to others in implementing security services. DHS itself plays a leading role in securing federal civilian networks, allowing the Federal Government to do its business securely. DHS partners with agencies to deploy products such as the EINSTEIN set of capabilities that provide perimeter network-based intrusion detection and prevention.
We will pursue the following strategies to secure the federal civilian government information technology enterprise:
- Coordinate government purchasing of cyber technology to enhance cost-effectiveness by using strategically sourced tools and services such as the Continuous Diagnostics and Mitigation program.
- Equip civilian government networks with innovative cybersecurity tools, information, and protections by supporting research and development and making the innovations from research and development available not only to the Federal Government but widely available across the public and private spheres.
- Ensure government-wide policy and standards are consistently and effectively implemented and measured by promoting the adoption of enterprise-wide policy and best practices and working with interagency partners to develop government-wide requirements that can bring the full strength of the market to bear on existing and emergent vulnerabilities.
Agency Priority Goals
Statement: Improve federal network security by providing federal civilian executive branch agencies with the tools and information needed to diagnose, mitigate, and respond to cybersecurity threats and vulnerabilities. By September 30, 2017 DHS will deliver two phases of continuous diagnostics and mitigation tools to 100% of the participating federal civilian executive branch agencies so that they can monitor their networks.
Description: The 2014 Quadrennial Homeland Security Review and the FY14-18 DHS Strategic Plan recognizes the continuing need to secure the federal civilian executive branch agencies’ information technology (IT) networks and systems. By law, each head of a federal department or agency is primarily responsible for their agency’s own cybersecurity. The Department of Homeland Security has overall responsibility for protecting federal civilian executive branch systems from cyber threats, helping agencies better defend themselves, and providing response teams to assist agencies during significant incidents. There is no one “silver bullet” for cybersecurity. The key is to install multiple layers of protection to best secure federal networks. As of October 1, 2015, DHS has delivered the first phase of CDM to the 23 civilian Chief Financial Officer (CFO) Act agencies, covering 97 percent of the federal civilian Executive Branch government. These agencies are expected to deploy these CDM tools on their networks within the fiscal year.
DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is the U.S. government’s 24/7 hub for cybersecurity information sharing, incident response and coordination. The NCCIC shares information on cyber threats and incidents, and provides on-site assistance to victims of cyberattacks. The NCCIC is also where DHS manages the EINSTEIN system, the first basic layer of protection DHS provides at the network perimeter of each federal civilian executive branch agency. While there are three parts to the EINSTEIN set of capabilities, the focus is currently on the deployment of the third phase, known as EINSTEIN 3 Accelerated (E3A), which has the capacity to identify and block known malicious traffic.
DHS also helps federal agencies identify and fix problems inside their networks in near real-time using the Continuous Diagnostics and Mitigation program (CDM). Once fully deployed, CDM will constantly scan agency networks for vulnerabilities that bad actors could exploit if they did breach an agency’s perimeter. The CDM Program consists of three phases that are currently in various stages of availability to federal civilian executive branch agencies. The first phase of CDM focuses on “What is on the Network,” specifically asset management. This includes hardware and software assets, managing configuration settings, and vulnerabilities, all of which are foundational capabilities to protect systems and data. Phase 2 (“Who is on the Network”) covers user account and network privilege management; and Phase 3 (“What is Happening on the Network”) covers boundary protection, event management and security lifecycle management.
Information sharing is also fundamental to achieving cybersecurity. The NCCIC shares information on cyber threats, vulnerabilities and incidents. In order to sufficiently address the rapidly evolving threats to our cyber systems, DHS and its partners must move beyond information sharing methods that are overly reliant on manual processes to be able to share cyber information in as close to real-time as possible. DHS is pursuing an aggressive schedule to deploy one of its next-generation information sharing techniques. The Department has an automated system in place to share cyber threat indicators, and DHS will extend this capability across the federal government and to the private sector, so that the larger community can send and receive threat indicators in near real-time.
This goal aligns with Administration cybersecurity priorities. The goal was established in coordination with OMB policies and guidance, to include the Cybersecurity Strategy and Implementation Plan (CSIP), the Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements, and the Cybersecurity CAP goal.
