DHS fine tunes cyber 'credit score' program
A cyber hygiene “credit score” is in the works for federal agencies -- but don’t expect to see a public report card anytime soon.
Continuous Diagnostics and Mitigation Program Manager Kevin Cox said at FCW’s Nov. 28 CDM event that the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm is already ingesting data, and the plan is to put it “fully into production heading into FY2020.”
AWARE is intended to help agencies prioritize mitigation activities so they can improve basic cybersecurity hygiene, according to Dave Otto, a risk management subject-matter expert with the Department of Homeland Security's federal network resilience division who spoke in a September webinar. The algorithm assigns a weighted cyber hygiene score based on unmitigated threats and promotes a "worst-problems first" approach when dealing with mitigation issues.
Cox told reporters after his Nov. 28 speech that AWARE could also be used to accelerate agencies’ response to a future zero-day vulnerability. “We wanted to have a mechanism that if a zero-day hit, [DHS officials] could dial up the response and say, ‘this is a priority patch,’” he said. Because the algorithm weights each indicator in the data streams, “we can turn up the weight on a particular vulnerability, shoot those scores up,” and immediately call agencies’ attention to the risk.
The relatively slow rollout of AWARE is to ensure that the data being crunched by the algorithm is accurate, Cox said, and that agencies are confident the resulting scores “reflect the reality of their systems.”
For now, AWARE simply shows how an agency compares to the cross-agency average. “But at the end of the day,” Cox said, “we don’t want to grade on a curve.”
“I don’t know that we’re going to get to an A-B-C-D-F framework,” he said, “but we want to at least get to a set of ranges where agencies know that they should aim for this range for their score.”
Even when AWARE moves into production, the risk scores still may not be public, Cox said, as they could effectively steer adversaries to the most vulnerable agencies.
The peer pressure that comes with scorecards can be valuable, he noted, and “we want to be as transparent as possible, but we don’t want to put the agencies at risk. So we have to find that balance.”
Cox also said that every CFO Act agency is now rolling up data to the federal dashboard, and that 16 non-CFO agencies are doing so through the CDM program’s shared-services platform.