While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
For the U.S. Department of Commerce, when it comes to cybersecurity it’s better to be proactive than reactive. Commerce has been partnering with the Department of Homeland Security to use new tools from a key DHS program to enhance its security posture.
Over the last few years, Commerce has been testing tools from DHS’s Continuous Diagnostics and Mitigation (CDM) program, a five-year, $6 billion effort to give civilian agencies the tools and services required to monitor their IT systems and then respond almost instantaneously to vulnerabilities.
CDM identifies cybersecurity risks on an ongoing basis, then prioritizes the risks based upon how severe they might be, in an effort to let cybersecurity personnel mitigate the most significant problems first, according to DHS.
The first phase of CDM focused on securing endpoints, managing hardware and software assets, as well as configuration management and vulnerability management. The second phase, set to roll out shortly, will focus on access control management; security-related behavior; and managing credentials, authentication and privileges.
Commerce Department CIO Rod Turk tells Federal News Radio that the agency has been testing the CDM tools ahead of time to make sure it can quickly implement them when they are ready. That is forcing Commerce to upgrade its IT infrastructure to handle the tools.
“We have found that we need to upgrade our infrastructure for CDM so that it is a high-rated system rather than a moderate-rated system as far as the Federal Information Security Management Act is concerned,” Turk says “We are making some investments on our own to put controls in place for that high system. In addition to that, as we move more tools from the CDM program into our environment, we will have to increase the size of our infrastructure so that we can actually handle all of the tools and the data flows. So we are working very closely with the CDM program to help us in that regard as well.”
Commerce has focused on using the software tools that DHS has provided to agencies under the CDM program, and Commerce is now moving from planning to implementation with many of those tools. “We’re working very well with the DHS folks and we meet with them on a continuous basis and we are moving forward,” Turk says.
As Federal News Radio reports, “Commerce, along with the departments of Justice, Labor and State, and U.S. Agency for International Development, is in the third group getting CDM tools and services under DHS’s plans.”
Turk has said in the past that the CDM program has been “one of the first opportunities that we’ve had to bring in a shared-services approach that has a common functionality across a very diverse set of functionalities.”
The agency has established its enterprise security operations center, run by the National Oceanic and Atmospheric Administration, and that center will soon start accepting the data feeds from all the bureau’s cybersecurity tools, Turk told Federal News Radio.
“By the end of this fiscal year, we expect to have all of the feeds, for all of the bureaus and for all of the events and incident management type of feeds, feeding into a security information management (SIM) tool so that we can use that information that we’ve gathered and provide an early warning system and incident response system for all of the department,” he says.
Turks adds that Commerce will be adding in a security layer that deals with classified information. “We want to take the data that we gather and layer into the secret and top secret information that we have in the intelligence community,” he says. “That, we think, will give us a powerful security operations center so that we can support our bureaus with incident response.”
Commerce’s new system will support hardware management, software asset management and vulnerability management — the key elements of CDM.
“You can’t protect what you don’t know you have. That is pretty basic cybersecurity. That will help us tremendously make sure we have a full bag of our assets identified so we can make sure everything is secure,” Turk says.