The Department of Homeland Security (DHS) is about two-thirds of the way to meeting its December deadline of providing large federal departments and agencies with a cyber security system that uses classified indicators to detect and block network intrusions, a department official said on Aug. 24.
DHS is adding agencies at a “really rapid rate” under EINSTEIN 3A (E3A), Andy Ozment, assistant secretary for Cybersecurity and Communications at DHS, said at a cyber conference hosted by 1105 Media Group. He said the progress so far is “good” and that it is progressing “day to day.”
Congress late in 2015 gave DHS a Dec. 18 deadline to onboard federal civilian agencies to the E3A system, which is deployed at major Internet Service Providers that serve government agencies. Despite the progress being made with E3A, Ozment warned that there isn’t time to spare for agencies that aren’t onboard yet.
“I am really focused on those agencies that are not yet covered because as we start getting closer to that deadline, those agencies that are sort of struggling to get it done are all waiting to the end but we can’t onboard every agency at once three days before the deadline,” Ozment said. “We don’t have the capacity to suddenly help every agency.”
Ozment’s message to agencies that aren’t online with E 3A is, “Get moving.”
Ozment said that DHS’ internal goal is to get 100 percent of largest government agencies, which he labeled the chief financial officer (CFO) agencies. The CFO agencies include all federal departments and nine more key entities such as NASA, the Office of Personnel Management and the Social Security Administration.
Ozment said that there are more than 100 federal agencies, some as small as a half-dozen people, and that “there is no way” all of these will be covered by E3A by the December deadline. Eventually, DHS will get all these agencies onboard, he said.
EINSTEIN 3A provides a number of tools to detect and protect against cyber intrusions and DHS will be adding more detection capabilities as they become available, Ozment said. For the upcoming deadline, all the large civilian agencies will have at least one E3A detection, he said.
Ozment also provided updates on other key DHS cyber security efforts. An automated information sharing system of threat indicators that went live in March has between 45 and 50 entities onboard, most of them in the private sector, he said.
The Automated Indicator Sharing system, or AIS, was mandated by Congress in 2015 to encourage the private sector to voluntarily participate in machine-to-machine exchanges of cyber threat indicators. Ozment said that adversaries use the same threat signatures over and over but once those indicators are known, it ups the costs for bad actors that have to create or find new attack strains.
About seven to eight government agencies are part of AIS at the moment, Ozment said.
As of now no private entities are sharing threat indicators with DHS via the AIS system, Ozment said. That’s due in part to some immaturity in the information sharing standards and because companies and organizations were waiting on privacy guidelines that didn’t come out until June, he said. An updated version of the standards is being worked on now by an international body and could be ready this fall, he added.
As for reluctance on the part of the private sector to share information with DHS, Ozment said that some organizations and companies do share data but some never will. The goal is to increase the number of organizations that are sharing data, he said.
Congress provided liability protections to private sector organizations as an incentive to get them to share cyber threat data with DHS.
Ozment also updated the status of the Continuous Diagnostics and Mitigation (CDM) program, which DHS manages to help federal civilian agencies have the tools and services to strengthen their networks and cyber security posture. DHS acquires the tools and services using a General Services Administration contract.
Ozment said that the first phase of CDM has been fully awarded. Contractors on Phase 1 of the program provide tools and services to agency to help them know what is on their networks, how their networks are configured and if they are vulnerable.
The feedback from agencies is that “you’re struggling” with the cyber security demands being put on them, Ozment said. Agencies are getting it done, but it’s a challenge, he said, adding that DHS is willing to “step up” its support for them.
About half of the work for Phase 2 of CDM has been awarded, Ozment said. Phase 2 technologies and services let agencies know who is on their network, what privileges they have, and how they authenticate themselves to gain access to the network and its parts.
The third phase of the program will help agencies better understand what is happening on their networks and to help them manage these events. Funding for Phase 3 is proposed in the FY ’17 budget request to Congress. The budget request also includes the start of Phase 4, which aims to provide capabilities to protect the highest value assets of agencies.