Tech

This agency is preparing to score its cyber risk with a new algorithm

“From the time that the scores come online, what gets measured gets done,” said the manager of the Continuous Diagnostics and Mitigation program.

By Dave Nyczepir

April 26, 2019

Kevin Cox speaks April 25, 2019, at the Security Through Innovation Summit presented by McAfee and produced by FedScoop and CyberScoop. (FedScoop)

The Department of Labor is integrating into its continuous monitoring dashboard a new algorithm that will measure the security of IT assets to help the agency address vulnerabilities over time.

Known as the Agency-Wide Adaptive Risk Enumeration, or AWARE, algorithm, the Continuous Diagnostics and Mitigation (CDM) program’s latest cybersecurity tool will have a soft rollout to all federal agencies Oct. 1 — the start of fiscal year 2020. The Department of Labor is already working with AWARE, said Scott Davis, the department’s deputy chief information security officer.

Several agencies previously had risk-scoring mechanisms in place, like the Department of State with iPOST and the Department of Justice with its Security Posture Dashboard, but AWARE will track millions of assets across the entire federal security landscape.

“Adversaries are going to go after the low-hanging fruit,” Kevin Cox, program manager of CDM, said Thursday at the Security Through Innovation Summit, presented by McAfee and produced by FedScoop. “They’re going to go after unpatched systems; they’re going to go after misconfigured systems, and we see the evidence of that.”

AWARE tracks the number of vulnerabilities and misconfigurations, placing extra weight on those that go unaddressed by agencies over time. A higher AWARE score reflects a bigger attack surface, and at rollout, agencies will be able to compare their scores — reported via their dashboards — to each other and the federal average.

DOL expects updates to the algorithm in May and August as sensor-to-dashboard reporting is tweaked to improve data consistency.

The agency has a limited number of cybersecurity and IT professionals to throw at weaknesses, which is where AWARE comes in, Davis said.

“We can laser lock them onto the right things … using the algorithm,” Davis said. “Getting the clean data, making sure that we’re looking at accurate information and then pointing our professionals in the right direction with other tools, or patches, or working with vendors to make sure we fix problems as soon as possible and make sure we hit the critical ones first.”

Throughout fiscal 2020, CDM will release a second version of AWARE for more “granular” metrics at the Federal Information Security Management Act level, Cox said.

Both the State Department and DOJ have seen their risk scores decline since they started tracking them, he added, and CDM expects the same will be true of other agencies’ scores over the next few years.

“From the time that the scores come online, what gets measured gets done,” Cox said. “And one of the principles of the AWARE algorithm is we want agencies to fix the worst problems first, and as that’s happening the score will continue to drop.”