Why you can’t decide (And what to do about it)
May 27, 2016
Commentary: The rapidly changing digital world can leave tech executives feeling overwhelmed when they're faced with charting the course of their company's cybersecurity strategy.
The Department of Homeland Security has awarded its much-anticipated continuous monitoring contract, widely recognized as a big step in the government’s plan to bolster its cybersecurity.
The contract, worth $6 billion, was awarded Monday night to 17 companies who will provide tools for the majority of government agencies to assess and combat — in real time — the cyber risks and vulnerabilities in their networks. The 2013 fiscal year budget authorized $185 million for the first year of the contract, which has four subsequent option years.
"To assist agencies in our battle for greater mission health is critical overall for our country’s prosperity," said Jennifer Nowell, director of strategic programs at Symantec, whose tool suites will be used to support the DHS effort. "Continuous monitoring is the first time we have experienced such unity through our public and private partnerships in the fight to ensure safety, security and resiliency for the citizens. This is a tremendous step forward for government, and Symantec is excited to be an instrumental part to making it happen."
The program "will strengthen cybersecurity across the 'dot-gov' domain, improve our cybersecurity posture, and enhance other critical cybersecurity capabilities to thwart advanced, persistent cyber threats in a dynamic threat environment," Suzanne Spaulding, deputy undersecretary for DHS' National Protection and Programs Directorate, said in an Aug. 13 blog post.
Although the Defense Department has not agreed to use the contract, most civilian agencies have, meaning the contract will change how most of the government approaches cybersecurity. Ultimately, DHS is expecting “continuous monitoring” will translate into 60 billion to 80 billion security checks every one to three days, according to the department.
While DOD has been adopting standard information technology solutions across its services for some time now, the civilian agencies are historically more disparate, said Ken Kartsen, head of federal business for McAfee, whose technologies figure into 11 of the 17 companies awarded contracts. Combined, the contracts represent a major shift toward standardization and consolidated information security strategies on the civilian side of government, he said.
“This move forward is that next leap,” Kartsen said. Today, “you don’t have full understanding of what your assets are — if they’re vulnerable, if they’ve been compromised, if they’re being leveraged in some capacity,” he added. But with continuous monitoring, “you understand what your assets are — where they are, if they’re vulnerable — in real time, and you have the ability to protect against threats.”
The new deluge of information will get sent to CyberScope, a joint DHS and Justice Department system that currently handles data reporting mandated by the Federal Information Security Management Act of 2002. FISMA sets information security data reporting measures, but is widely criticized for its reactive and outdated standards.
“FISMA was a necessary evil; you have to crawl before you walk,” Kartsen said, describing the FISMA reporting process as a simple assessment and grading rubric for each agency’s network systems. “As we move forward to this contract, it really promotes the proactive capabilities that solutions and technologies can provide the government.”
But the newly released contracts are also in their infancy. Questions remain: How will DHS want the new technologies implemented? DHS has started contacting the main companies to discuss exactly that.
“We’re all waiting with bated breath to see what the next phase is in the strategy DHS has,” Kartsen said.
Below, a list of all the companies awarded contracts: