Later this year the Department of Homeland Security plans to establish a common approach to cyber security for the entire federal civilian government to create a more “common understanding,” a senior department official said on Wednesday.

DHS already provides tools for federal agencies to boost the security of their networks, “but we’ve got to get to a more common, synchronized baseline approach,” Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), told the House Appropriations Homeland Security Subcommittee.

Krebs told the panel that there are 99 federal agencies that CISA helps to strengthen their cyber security and that “Later this year we’ll issue a cyber security baseline that will establish a common understanding and framework of where these 99 federal agencies need to go.”

Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency at DHS. Photo: DHS

CISA is responsible for helping federal civilian agencies improve their cyber security, including through mandates, and working with critical infrastructure owners and operators in the private sector and at other levels of government on a voluntary basis to also bolster their cyber security.

Boosting cyber security in federal civilian agencies is “less about deploying tools across the networks,” he said, noting that his agency is doing more on helping with network architectures and information technology modernization so network systems have security built in rather than bolted on.

Networks that are deployed and configured securely are ones that require fewer resources for adding security later, he said.

Krebs said he expects the standardized approaches to cyber security in the civilian agencies to be in place within a few years, adding he also wants “better harmonization” of cyber security services, and continued improvements in sharing cyber threat information.

Krebs pointed to some of the progress DHS has been making in improving federal cyber security, including directives to shorten the time for patch management of cyber vulnerabilities and another to increase the security around websites and email systems. Last week, he said a 2015 Binding Operational Directive (BOD) on patch management has led to federal civilian agencies on average going from taking 219 days to remediate their network vulnerabilities to  under 20 days.

On Monday, Krebs issued a new BOD that supersedes the 2015 directive and requires federal civilian agencies to remediate critical vulnerabilities within 15 calendar days of detection and “high vulnerabilities” within 30 calendar days of detection.

CISA will track agencies’ progress in remediating their vulnerabilities and for agencies that don’t meet the deadlines CISA will provide remediation plans.

The new BOD, which is 19-02, also requires that Internet addresses that enable cyber hygiene scans not be blocked.

“BOD 19-02 introduces a shorter mitigation time frame for critical vulnerabilities and a new mitigation time frame for high vulnerabilities, to further reduce the attack surface and risk to federal agency information systems,” Jeanette Manfra, assistant director for Cybersecurity at CISA, said in an April 29 blog post on the agency’s website.

Krebs’ vision for a more standardized approach to federal cyber security stems from the Trump administration’s management agenda to improve the efficiencies of federal operations and lower costs. On Sunday, the White House Office of Management and Budget issued a memorandum on its strategy for sharing quality services to improve efficiencies.

Krebs pointed out to the panel that the memo directs that CISA is the Quality Service Management Office (QSMO) for “cyber security services so that we will be able to offer a more standardized security operations center as a service, for example.”

Russel Vought, acting director of OMB, said in his memo that “Agency QSMO’s offer solutions that, over time, will standardize processes, reduce the technology footprint, and reduce Government-wide operating costs.” He said QSMOs are responsible for managing these efforts and “must offer premiere capabilities” and best practices tailored to impacted agencies.