by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : September 2013
CYBEREYE BY WILLIAM JACKSON THE RECENT AWARD of a $6 billion blanket purchase agreement to 17 companies for security monitoring tools and services was a big business story and no doubt welcome news for federal contractors in this age of sequestration. It also illustrates government s growing acceptance of the idea of security--as-a-service. Agencies are moving from static, endpoint security tools toward a more holistic ap- proach to cybersecurity, letting service providers handle more of the chores of continuously monitoring and assessing the security status of IT systems at the enterprise level. It is not a wholesale shift, of course. There still are plenty of point products being used and security management being done in-house. But just a few years ago the idea of outsourc- ing security was controversial. Today, the Homeland Secu- rity Department is touting continuous-monitoring-as-a- service as a part of a major step forward in protecting govern- ment systems. The blanket purchase agree- ments are part of a move in government from periodic assessment and certification under the Federal Informa- tion Security Management Act to continuous monitoring. Continuous monitoring of IT systems and networks was identified last year by the Of- fice of Management and Bud- get as a Cross-Agency Priority goal. DHS, which has been delegated responsibility for overseeing FISMA, established the more appropriately named Continuous Diagnostics and Mitigation program, intended as a one-stop shop for tools and services enabling monitoring. On Aug. 12, BPAs were awarded through the Gen- eral Services Administration to 17 companies to provide these tools and services. The contracts have a one-year base period with four one-year op- tions and an estimated value of $6 billion. The goal is to not only provide a cost-e ective way to acquire cybersecurity solutions, but to also create a standardized platform for automated monitoring and reporting of the state of hard- ware and software. Agencies will have their own dashboards that will alert them to the most critical security risks, helping them prioritize mitigation e orts and provide near-real-time information on security status. Summary information would give DHS a similar view of the entire .gov domain. This is not DHS s first foray into security-as-a-service. In July, the Einstein 3 intrusion detection and prevention service went into operation at the first agency. It is a managed security service provided by DHS through Internet service providers. Initially deployed in 2004, it has advanced from network tra c analysis to au- tomated blocking of malicious tra c. The Veterans A airs Department was scheduled to become the second agency to turn on the service in August, with others coming online as ISPs are ready to accept them. Einstein 2 now is deployed at 17 of 18 agencies that are using a Trusted Internet Con- nection provider and at 52 other agencies using Managed Trusted IP Services (MTIPS) under the Networx contract. It is expected to be deployed at 70 percent of executive branch agencies by the end of the fiscal year, as legacy networking con- tacts expire and more agencies move to MTIPS. Both of these trends --- the move from static evaluation to continuous monitoring and letting service providers handle enterprise level tasks --- could go a long way toward improv- ing federal cybersecurity. For more than a decade FISMA has provided a frame- work for IT security, and agencies have struggled to improve their security postures while complying with the law s requirements. Almost from its inception in 2002 there have been calls for FISMA reform to move agencies away from focusing on compliance and toward actually improving security. Despite these calls, successive Congresses mired in partisan gridlock have been unable to provide reform. Recent developments are evidence that FISMA s support- ers might be right, however. The problem is not in the law, which has always called for risk-based security and con- tinuous (or near continuous) monitoring of systems, but with oversight that has placed more importance on compli- ance than results. Not everything has been fixed. Statutory responsibility for overseeing FISMA still lies with OMB rather than DHS. And neither Einstein 3 nor the Continuous Diagnostics and Monitoring program have been in place long enough to show results. But the administra- tion is demonstrating practical creativity in evolving federal cybersecurity. • OUTSOURCING CYBERSECURITY? FEDS GET BEHIND THE IDEA. 14 GCN SEPTEMBER 2013 • GCN.COM Both of these trends --- toward continuous monitoring and letting service providers handle enterprise tasks --- could go a long way toward improving federal cybersecurity.