A Government Accountability Office (GAO) review has examined how the Federal Aviation Administration (FAA), Indian Health Service (IHS), and Small Business Administration (SBA) use cybersecurity tools.
The Department of Homeland Security (DHS) provides agencies with cybersecurity tools that identify the hardware and software on their networks and check for vulnerabilities and insecure configurations. GAO found that the agencies’ hardware inventories were missing information and contained duplicates.
The agencies had generally deployed tools intended to provide cybersecurity data to support DHS’ Continuous Diagnostics and Mitigation (CDM) program. In 2013, DHS established the CDM program to strengthen the cybersecurity of government networks and systems by providing tools to agencies to continuously monitor their networks. The program, with estimated costs of about $10.9 billion, intends to provide capabilities for agencies to identify, prioritize, and mitigate cybersecurity vulnerabilities.The program relies on automated tools to identify hardware and software residing on agency networks. This information is aggregated and compared to expected outcomes, such as whether actual device configuration settings meet federal benchmarks. The information is then displayed on an agency dashboard and federal dashboard.
However, while agencies reported that the program improved their network awareness, none had effectively implemented all key CDM program requirements. For example, the three agencies had not fully implemented requirements for managing their hardware. This was due in part to contractors, who install and troubleshoot the tools, not always providing unique identifying information. Accordingly, CDM tools did not provide an accurate count of the hardware on their networks.
For example, FAA had partially associated its hardware with Federal Information Security Management Act (FISMA) systems in its CDM tools. Specifically, as of April 2020, the agency had used CDM tools to associate most of the hardware on its network with six FISMA systems. However, the agency was still in the process of documenting the remainder of its hardware in a format that could be used by the CDM tools. Although FAA had approximately 200 systems in its inventory, agency CDM staff stated that, in addition to the hardware associated with six systems, they planned to associate the remaining hardware with approximately six additional systems, but had not specified a time frame for completing this effort.
According to the staff, these 12 primary systems support the remaining systems and the agency’s integrator designed the CDM tools to only record hardware for these primary systems, rather than potentially associating specific hardware devices with multiple systems that may use it. The staff also stated that the problem with multiple identifiers described above also negatively affected their ability to associate the devices with systems.
Although most agencies implemented requirements for managing software, they were not consistently comparing configuration settings on their networks to federal core benchmarks intended to maintain a standard level of security.
For example, SBA had not deployed CDM tools for managing its software. SBA CDM officials stated that the agency had not implemented software asset management because the tools provided by the integrator caused agency devices to malfunction and crash. According to the CDM Program management Office, as of May 2020, the office was working with the agency and its integrator to implement an alternate solution that is expected to work in the agency’s environment to support software asset management requirements, including uniquely identifying software and periodically updating software information.
GAO found that the agencies’ CDM tools collected required information on the time a vulnerability was first detected, but had not collected the time a vulnerability was remediated.
FAA used CDM tools to collect information about the first time a vulnerability was detected but not the time it was remediated. Agency CDM staff stated that the integrator would need to make changes to how the CDM tools recorded vulnerability information. The staff further stated that the time of remediation information was unreliable.
IHS used CDM tools to collect information about the first time a vulnerability was detected, but it did not collect information on the time that a vulnerability was remediated. IHS CDM staff stated that the agency lacked system storage necessary to retain vulnerability remediation information.
SBA used CDM tools to collect information on the time a vulnerability was first detected but not the time it was remediated. Agency staff stated that the integrator’s CDM solution did not provide a mechanism to capture this information.
To address the shortcomings found in the review, GAO makes a number of recommendations in its August 18 report, including six to the Department of Homeland Security:
- Ensure that integrators’ solutions provide unique identifiers for hardware on selected agencies’ networks.
- Ensure that FAA’s system integrator records FISMA system information in the agency’s CDM tools.
- Ensure that IHS’s system integrator records FISMA system information in the agency’s CDM tools.
- Ensure that FAA’s system integrator establishes a process to integrate all vulnerability information in the agency’s CDM tools, including the time a vulnerability was remediated.
- Ensure that IHS’s system integrator establishes a process to integrate all vulnerability information in the agency’s CDM tools, including the time a vulnerability was remediated.
- Ensure that SBA’s system integrator establishes a process to integrate all vulnerability information in the agency’s CDM tools, including the time a vulnerability was remediated.
DHS concurs with all six recommendations and stated that it intends to meet these by June 30 2021.
The remaining recommendations were made to the three agencies covered in GAO’s technical review. The watchdog recommends that:
- FAA and SBA should commit to a time frame to complete the agency’s effort to associate hardware with its FISMA systems.
- IHS should document approved hardware inventory information by associating FISMA systems with the hardware on its network in a format that can be readily integrated into its CDM tools.
- All three agencies should document agency-specific variations from federal core configuration benchmarks for each operating system on their networks.
- All three agencies should configure their CDM tools to compare configuration settings against federal core benchmarks and agency specific variations applicable to their environment.
All three agencies concurred.
Overall, the agencies told GAO they had identified various challenges to implementing the CDM program, including overcoming resource limitations and not being able to resolve problems directly with contractors. GAO found DHS had taken numerous steps to help manage these challenges, including tracking risks of insufficient resources, providing forums for agencies to raise concerns, and allowing agencies to provide feedback to DHS on contractor performance.
Despite these actions, GAO concluded that without further assistance from DHS in helping agencies overcome implementation shortcomings, the program—costing billions of dollars— will likely not fully achieve expected benefits.