Outsourcing cybersecurity? Feds get behind the idea.
Connecting state and local government leaders
DHS' Continuous Diagnostic and Mitigation program is the latest step in a trend toward holistic security that puts it into the hands of experts.
The recent award of a $6 billion blanket purchase agreement to 17 companies for security monitoring tools and services was a big business story and no doubt welcome news for federal contractors in this age of sequestration. It also illustrates government’s growing acceptance of the idea of security–as-a-service.
Agencies are moving from static, endpoint security tools toward a more holistic approach to cybersecurity, letting service providers handle more of the chores of continuously monitoring and assessing the security status of IT systems at the enterprise level.
It is not a wholesale shift, of course. There still are plenty of point products being used and security management being done in-house. But just a few years ago the idea of outsourcing security was controversial. Today, the Homeland Security Department is touting continuous monitoring as a service as a part of a major step forward in protecting government systems.
The blanket purchase agreements are part of a move in government from periodic assessment and certification under the Federal Information Security Management Act to continuous monitoring. Continuous monitoring of IT systems and networks was identified last year by the Office of Management and Budget as a Cross-Agency Priority goal. DHS, which has been delegated responsibility for overseeing FISMA, established the more appropriately named Continuous Diagnostics and Mitigation program, intended as a one-stop shop for tools and services enabling monitoring.
On Aug. 12, BPAs were awarded through the General Services Administration to 17 companies to provide these tools and services. The contracts have a one-year base period with four one-year options and an estimated value of $6 billion. The goal is to not only provide a cost-effective way to acquire cybersecurity solutions, but to also create a standardized platform for automated monitoring and reporting of the state of hardware and software.
Agencies will have their own dashboards that will alert them to the most critical security risks, helping them prioritize mitigation efforts and provide near-real-time information on security status. Summary information would give DHS a similar view of the entire .gov domain.
This is not DHS’s first foray into security as a service. In July, the Einstein 3 intrusion detection and prevention service went into operation at the first agency. It is a managed security service provided by DHS through Internet service providers. Initially deployed in 2004, it has advanced from network traffic analysis to automated blocking of malicious traffic. The Veterans Affairs Department was scheduled to become the second agency to turn on the service in August, with others coming online as ISPs are ready to accept them.
Both of these trends — the move from static evaluation to continuous monitoring and letting service providers handle enterprise level tasks — could go a long way toward improving federal cybersecurity.
For more than a decade FISMA has provided a framework for IT security, and agencies have struggled to improve their security postures while complying with the law’s requirements. Almost from its inception in 2002 there have been calls for FISMA reform to move agencies away from focusing on compliance and toward actually improving security. Despite these calls, successive Congresses mired in partisan gridlock have been unable to provide reform.
Recent developments are evidence that FISMA’s supporters might be right, however. The problem is not in the law, which has always called for risk-based security and continuous (or near continuous) monitoring of systems, but with oversight that has placed more importance on compliance than results.
Not everything has been fixed. Statutory responsibility for overseeing FISMA still lies with OMB rather than DHS. And neither Einstein 3 nor the Continuous Diagnostics and Monitoring program have been in place long enough to show results. But the administration is demonstrating practical creativity in evolving federal cybersecurity.
NEXT STORY: What's in the future for FedRAMP?