“We’re not going to be able to stop everything.”
That’s the conclusion three senior government officials reached yesterday when discussing the state of continuous monitoring in the federal government.
Margie Graves, deputy chief information officer at the Department of Homeland Security, Peter Gouldmann, director of the State Department’s information risk programs, and Steve Viar, director of FEDSIM at the General Services Administration’s Federal Acquisition Service, spoke at an AFFIRM luncheon Thursday about the current status and future of continuous diagnostics mitigation or CDM.
According to the panelists, not being able to stop every cyber-attack is a very real threat — agencies are only as strong as their weakest link.
However, a continuous monitoring dashboard would seriously bolster security efforts by providing metrics, tools and a platform for the community. In summer of 2013, DHS awarded $6 billion to the first-ever continuous monitoring contract.
“By monitoring the patterns, algorithms can form, patterns can be identified and we can address those root causes,” Graves said.
Which is why the process of CDM can be so crucial to the organization: implementing CDM will require a real culture change, so people get used to looking at information in real time, Graves said.
More so than the culture shift is the human element to making this system work.
“It’s a combination of human actions and the tools that see what is on the networks,” Gouldmann said. “There [are] levels of acceptable and unacceptable risk, and we have to make the strategy flexible enough so that changes can be made.”
These “acceptable and unacceptable” risks tie into what Graves called “fixed based operation excellence,” meaning apply resources where the greatest risks exist. DHS is working toward taking measures that won’t just lay out the numbers, but also analyze and process that data.
In addition, Graves said DHS is working on an “ongoing authorization” initiative, which has already launched a pilot program. The ongoing authorization program will shift the department’s process from being static based to a more dynamic framework. Graves said she believes the resiliency component of that project will be key and keep agencies “hypervigilant.”