Federal Agencies Rush to Inventory Key IT AssetsAction Is First Step in New White House Cybersecurity Strategy and Implementation Plan
Under the White House's new cybersecurity strategy and implementation plan, known as CSIP, federal civilian agencies face a Nov. 13 deadline to identify and report their high-value information and assets that could attract adversaries.
Conducting an asset inventory by the end of next week could prove challenging for many government agencies, even though Federal CIO Tony Scott gave them a head start, of sorts. The CSIP is a result of the so-called 30-day cybersecurity sprint, which Scott unveiled in June, to assess the status of federal civilian agencies' IT security. In launching the sprint, Scott called on agencies to inventory their high-value assets (Ramping Up Agency Security, Yet Again).
"Plain and simple, it's hard," says Malcolm Harkins, global chief information security officer at the software provider Cylance.
Greg Garcia, executive vice president of McBee Strategic Consulting and former DHS assistant secretary for cybersecurity, characterizes the deadline agencies face as aggressive. "The coordination required to succeed may overwhelm bureaucratic capabilities," Garcia says. "But the foundation is laid and the tools are available, so it's time to execute. As Larry the Cable Guy would say: 'git-r-done.'"
In addition, agencies will be challenged in managing the process and politics of prioritizing information and assets to align with agency mission, Garcia says. "Large, distributed organizations such as in the federal enterprise have difficulty mapping and assessing their architectures," he says.
Defining High Value Assets
The memorandum detailing the CSIP defines "high-value assets" as systems, facilities, data and data sets that would be of particular interest to potential adversaries. High-value assets could contain sensitive controls, instructions or data used in critical federal operations or house unique collections of data by size or content that would make them of particular interest to criminal, politically-motivated or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence in the U.S. government.
Mapping dependencies among critical assets presents additional challenges. "If the confidentiality of intellectual property is the highest valued asset, then anything that connects to or creates a dependency on the protection of that asset is thus likely categorized at the same level," Harkins says. "From the one asset, you get many, many other dependencies and assets."
Regardless of the difficulty in identifying and inventorying high-value information and assets, failing to do so could create risks for agencies in defending themselves against cyberattacks.
"If an agency doesn't know what its most sensitive and critical systems are, then it's pretty difficult to know what to monitor," says Patrick Howard, an IT security consultant who was the former CISO at the Nuclear Regulatory Agency and Department of Housing and Urban Development. "They could waste a whole lot of effort and resources unnecessarily. It has to start from a risk-based awareness of your own agency in its operations."
Different Way to Assess Risk
The CSIP assesses risk to critical information assets through the eyes of the attackers. For most agencies, that's a new strategy. Agencies already assess information security risks based on the importance of critical assets to their respective missions, as defined in the National Institute of Standards and Technology's Federal Information Process Standard Publication known as FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 defines three levels of potential impact on the functioning of an organization posed by a security breach: high, moderate and low. High impact is defined as the loss of confidentiality, integrity or availability having a severe or catastrophic adverse impact on organizational operations, assets or individuals.
In assessing risk through the adversary's perspective, agencies need to consider the attacker's capability and intent as well as the systems and data being targeted, says NIST Senior Fellow Ron Ross, who OMB consulted in developing the CSIP.
Ross sees a synergy between the ways FIPS 199 and CSIP assess risk. He says the CSIP assessment could get agencies to rethink their FIPS 199 assessment by "potentially adding additional security controls to strengthen [IT safeguards] now that you know you're being targeted or that it's a high-value asset to the adversary."
Identifying Interagency Resources
As agencies take stock of their own critical IT assets under the CSIP, the Office of the Director of National Intelligence is identifying the appropriate interagency resources to lead a threat assessment of federal high-value assets at risk of being targeted by adversaries and will produce its findings by year's end, according to the CSIP. Simultaneously, the Department of Homeland Security is leading a team, augmented by the Defense Department, intelligence community and other agencies, to employ continuous diagnostic and mitigation, or CDM, technologies and processes to identify new threats to government IT assets.
Implementing continuous diagnostics and mitigation "is fundamental to helping agencies develop a better understanding of the risks to their IT systems and networks through improved identification and detection of cyberthreats," federal CIO Scott says in the memo detailing the CSIP.
Congress provided funding to DHS in the last fiscal year, which ended Sept. 30, to buy sensors and tools for nearly every major federal agency to be used to paint an accurate picture of their critical hardware and software assets. CDM tools being distributed this fiscal year are aimed to help agencies ensure employees and contractors use appropriately secure methods to access federal systems.