The growing ubiquity of smartphones and tablet computers is presenting the Department Homeland Security’s continuous diagnostics and mitigation program with the familiar challenge of safeguarding federal networks from cyberattacks but on a more complex scale.
“On the mobile side, the number of different attack vectors, different types of attacks, the various requirements guidance for a security benchmark standpoint differs, the way we get to software and many applications that a mobile environment offers and then the assets themselves and how they are managed” are all factors to consider, CDM program manager Kevin Cox said.
“That is one of the challenges we, working within CDM with agencies, have — how do we approach mobile to help the agencies get full visibility?”
But Cox said Thursday at the ATARC Federal Mobile Technology Summit that CDM is working to tackle the mobile problem by leveraging the request for service (RFS) functions built into the $530 million DEFEND Group C contract.
CDM awarded the Group C contract to CGI Federal last month and it includes RFS features for cloud, boundary and mobile protections. Cox said the program will use the RFS feature to provide the contractor with “technical direction” on task order requirements, quickly delivering solutions to monitor mobile traffic on the network.
“We are working with the agencies, working with the integrator to go into the agency networks and understand what is on their network on-prem, where they have connections to other agencies, where they have connections out to the internet and map that out,” he said. “That’s what’s really going to discover everything in the agency network. Then what we want to be able to do is take that information and do another RFS to implement solutions to get agencies visibility there.”
CDM is also leveraging the threat-based assessments in its .gov Cybersecurity Architecture Review (.govCAR) program to spotlight where mobile coverage gaps might exist and test the efficacy of their solutions.
“The thing that we are going to do is take the threats on one side, the security capabilities on the other, and then combine analysis that says for each of those capabilities against each of those threats, how well does the capability protect, detect and respond,” said Jim Quinn, CDM’s lead system engineer.
But Quinn said mobile devices magnify the number of variables that the program will have to track depending on the policies agencies use to govern them, requiring a proliferation of capabilities to match.
“Are agencies doing it as [Bring Your Own Device], are they doing it as government-controlled?” he asked. “Each one of those has a different security posture. Those are all variations that have to be considered because each one has a different threat pattern. We have to take the capabilities against each one of those scenarios. So now you have a multiplier.”
Cox added that CDM is progressing carefully on the issue, even as it continues work on having CFO Act agencies report their data to its federal dashboard, which is expected to be completed by the end of September.
“All of this, as you know working with your agencies and your community, takes time,” he said. “We recognize the threat is at our door and, oftentimes, in our house already. We want to continue to support the agencies, get in front of that as quickly as possible, but we also want to make sure what we are implementing with the agencies is sustainable in the long run.”