Returning to HWAM, SWAM, CSM, and VULN

March 23, 201712:00 pm – 1:00 pm EST

A CDM LEARNING COMMUNITY EVENT

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

2

Today’s Webinar Goals

Provide CDM community with PMO and agency Phase 1 implementation perspectives

Answer all audience questions during the allotted question and answer time

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

3

Agency panelists will answer these questions:

► Where is your agency in Phase 1 implementation?

► What was your agency’s Information Security Continuous Monitoring (ISCM) program maturity before implementation?

► What are the top two or three implementation takeaways you want to highlight (e.g., lessons learned, challenges, successes/enhancements)?

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

4

Today’s Panelist: Dan FrantzCDM Program Manager, Social Security Administration (SSA)

► CDM Program Manager at SSA, overseeing CDM Phase 1 and 2 implementation

► At SSA since 2012, working with CDM data and Federal Information Security Modernization Act (FISMA) reporting integration and automation

► In information technology (IT) since 1998, specialties include server and network administration, security infrastructure management, security information and event management, intrusion detection and incident response, tier 3 security engineering

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

5

Today’s Panelist: Marian CodySenior IT Portfolio Manager, U.S. Department of Housing and Urban Development (HUD), recently retired

► 28 years at HUD; HUD’s primary point of contact (POC) for Department of Homeland Security (DHS) CDM Program

► Participated in Group E Continuous Monitoring as a Service (CMaaS) acquisition process

► Designed, developed HUD’s CDM program

► Managed HUD’s Phase 1 implementation

► Served as Chief Information Security Officer (CISO) at HUD and U.S. Environmental Protection Agency (EPA)

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

6

Today’s Panelist: Kris CaylorChief, Strategic and Capital Planning & Portfolio Management Branch, Department of the Interior (DOI) ► Joined DOI, Office of the Chief Information

Officer (OCIO), Office of Information Assurance (OIA) staff in 2006 as an IT Security Manager

► Enterprise Vulnerability Manager for Cybersecurity Operations team, including all Enterprise Continuous Monitoring tools

► 16 years U.S. Navy active duty as both enlisted and officer

► Transitioned to Navy Reserves in 2006, retiring with combined 27 years of military service in May

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

7

Today’s Panelist: Matthew HartmanDeputy CDM Program Manager, DHS

► Technical POC for CDM Blanket Purchase Agreement (BPA) and CDM Dashboard contract

► CDM Program Manager (Acting) from June 2016 to January 2017

► Project Manager for CDM Program’s first delivery order and Task Order 2A and 2E

► National Protection and Programs Directorate (NPPD) OCIO liaison to the Office of Infrastructure Protection

8

SSA CDM Status Currently, we are an estimated 75% through Phase 1 implementation. ForeScout

deployed and detecting assets, re-using SCCM 2012 for SWAM and CSM, and Nessus for VULN.

The SSA started continuous monitoring efforts before August 2012.

Initial work was to identify all security tools and what NIST 800-53 controls they supported or supplied data.

Identified controls that could be automated based on P1 controls, ease of automation, and benefit in automating FISMA reporting / CyberScope reporting.

Ingested that data into Splunk, creating control-specific dashboards (Ex. RA-05, CM-08, IR-06, IA-02), and continuously improved our methodology on those controls, while evaluating further controls to automate.

Lessons learned: 1) Identify and educate stakeholders sooner. 2) Build it, then build it better.

Returning to HWAM, SWAM, CSM and VULN: An Early Adopter’s Experience at HUD

Status: Combination O&M and Planned

ISCM Status: oProgram Established for Phase 1 CapabilitiesoMature HWAM/CSMoActive Vulnerability ManagementoImmature SWAM

LessonsoObtain And Sustain Management SupportoLeverage What You Are Already Doing And Scope The Project To Allow Success – Starting Small And Iteratively Expanding To Cover The Entire EnvironmentoData reconciliation Across Tools/SensorsoLearn From Others – Share Lessons Learned

Department of the Interior - CDM Phase 1Current Phase 1 implementation status:

● BigFix, McAfee Vulnerability Manager/Tenable, and ForeScout installed

● RES core installed but on hold due to RES vuln issues● Splunk and RSA Archer installed and being configured● 1st renewal of DHS provided BigFix licenses completed

Pre-CDM Phase 1 status:● McAfee Vulnerability Manager/Tenable fully deployed● BigFix deployed to approximately one third of DOI

Key takeaways:● Governance is hard, but crucial to the success of CDM

○ Enterprise-wide governance approved for HWAM, CSM and VULN

● BigFix licensing costs were higher than expected

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

11

CDM Program Successes to Date ► 75 agencies have signed MOAs with CDM PMO

– 23 CFO Act Agencies participate in CDM– 52 smaller Agencies participate or will participate in current/future CDM

Shared Services► Key successes to date:

– During asset discovery, developed a stronger understanding of the asset counts in the agencies to secure against the threat.

– Deploying sensors to all CFO Act Agencies. – Increased standardization of security tools and began deployment of

agency dashboards to automate reporting and keep the data current.– Achieved increased savings (~$600M) through the consolidation of tool

purchases reflecting a 70% savings compared to IT Schedule 70. – Shared services platform will be ready in Q3 FY17 for non-CFO Act

Agencies.

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

12

What’s Next► Complete Phase 1 deployment, including implementation of both the

Agency and Federal Dashboards► Continue Phase 2 deployment to gain visibility of general user

credentials and privileged user access► New contracting approach – existing BPA expires in 2018► Award new task orders for Phase 3 (and eventually Phase 4) to assist

with perimeter protections and develop the approaches for ongoing assessment, ongoing authorization, and incident reporting standardization

► Update Phase 1 to include cloud and mobile situational awareness► Mature Dashboards and integrate with other federal cybersecurity

programs, including the National Cybersecurity Protection System (NCPS, operationally known as Einstein) and the Automated Indicator Sharing (AIS) program

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

13

What We Have Found: Implications for Federal Cybersecurity► Programmatic:

– What Worked:• Established consistent engagement by developing Memoranda of Agreement for the

agencies• Pioneered an innovative acquisition approach combining agencies into groups for

similar requirements and project efficiencies• Helped agencies achieve internally consistent enterprise approach, allowing them to

leverage similar product knowledge, subject matter expert support, and licensing• Leveraged consistent system engineering lifecycle

– Challenges:• Timeline from obligation of funding to award to deployment too long• Three year period of performance of contracts was too short given size and complexity

of work• Program success depends on collaboration between the offices of the CIO, CFO, and

CISO, as well as between network and security operations, presenting challenges particularly in federated agencies

• Varying levels of agency governance and duplicative change control processes• Suitability and clearance issues

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

14

What We Have Found: Implications for Federal Cybersecurity► Technical:

– What Worked:• Six agencies have completed tool deployment and have increased visibility into

network assets, strengthening management and reducing the attack surface; deployments continue at remaining agencies

• Program met commitment to using Commercial-Off-the-Shelf (COTS) tools for all program requirements

• Agencies, including those that are federated, are striving to deploy enterprise approach to continuous monitoring

• Program established CDM approved products list by evaluating tools to meet the program’s technical requirements

– Challenges:• Program and agency requirements not always clearly defined• Some agency infrastructure required hardware procurements to support the CDM

tools• Testing and pre-production environments not always available• Difficult to streamline and achieve testing efficiencies due to inconsistencies in

integrator testing approaches

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

15

Audience Q&A

Please use the question box on the top right of your screen to ask questions.

Kris Caylor - DOI Marian Cody - HUD

Dan Frantz - SSA Matthew Hartman - DHS

16

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

17

Get Involved with the CDM Learning Program!

Visit our website: https://www.us-cert.gov/cdm

Engage with our weekly blog: https://www.govloop.com/groups/cdm-learning-bits-bytes

Join our mailing list: cdmlearning@hq.dhs.gov

THE MARCH CDM WEBINAR: RETURNING TO HWAM, SWAM, CSM, AND VULN

18

Thank you for attending today’s CDM webinar!► A certificate of attendance will be available to download

at www.us-cert.gov/cdm/training within one week of today’s event.

► Please help us provide better learning content by completing the short questionnaire. Your feedback matters!