CDM’s agency cyber risk scores will be relative, at least initially
Agencies will be able to compare their cybersecurity risk scores to the federal average when the Continuous Diagnostics and Monitoring program starts showing them on dashboards Oct. 1.
The Agency-Wide Adaptive Risk Enumeration, or AWARE, algorithm measures how agencies are doing on basic security practices like vulnerability, patch and configuration management in near real time. A smaller cumulative score represents a smaller cyberattack surface.
Currently 23 Chief Financial Officers Act agencies and 30 others are set to receive AWARE scores with 40 more on the horizon, said Kevin Cox, CDM program manager for the Cybersecurity and Infrastructure Security Agency (CISA).
“We want to be careful not to share the scores out publicly because we know adversaries will be looking to see which agencies are having problems so they can go target them,” Cox said in response to a question from FedScoop at the Billington Cybersecurity Conference. “But there may be ways where, once everybody feels comfortable with their AWARE score — all the data is in good shape — that we share it with the deputy secretaries and everybody sees everybody else’s score.”
The State and Justice departments pioneered risk-scoring mechanisms and learned sharing them internally “generates the desire to get better within your shop,” he added.
Federal leadership will ultimately determine who sees what scores, but CISA sees all of them.
“At the end of the day we’d like everyone to get to zero, but that’s not realistic because there’s always vulnerabilities coming out and patching activities,” Cox said.
CISA’s internal cyber division is considering adding grace periods to the algorithm to allow agencies time to patch newly reported vulnerabilities before being held accountable.
More guidance is forthcoming explaining to agencies how the algorithm works, what scores mean relative to the federal average, and actions to shrink attack surfaces.
The AWARE algorithm is one half of CDM’s multi-year effort to establish a federal risk posture while helping agencies better understand their own.
[W]e can set it at the agency level, but we don’t have that standard where we know we can’t go higher than this,” said Willie Crenshaw, cybersecurity program executive at NASA.
The other half is a new request for service underway within Group B — which includes the Veterans Affairs, Agriculture and Interior departments — of the CDM Dynamic and Evolving Federal Enterprise Network Defense, or DEFEND, program.
CDM wants to align its dashboard with the government’s risk and compliance tool used by agencies in order to determine Federal Information Security Management Act, or FISMA, system boundaries and map asset data to those systems. Once that’s done, controls can be automated, Cox said.
The process should take another four to six months followed by pilots with several Group B departments, he added.
“Getting governance in place at the federal level, getting governance in place at each agency, is really critical for not only CDM to work but agencies to be successful at managing their risk, Cox said.