The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) set out to have reliable cyber data for 24 CFO Act Federal agencies by the end of the September, but a new update from the agency says only a “handful of agencies” are on track for that, and the goal is not likely to be accomplished until next fiscal year.
CISA is using the agency-wide adaptive risk enumeration algorithm, or AWARE algorithm, generated by its Continuous Diagnostics and Mitigation (CDM) program, to identify the severity of vulnerabilities in agency networks, and their persistence. CISA’s CDM Program Manager Kevin Cox explained the metric at an event in July.
“The idea that we’re really aiming for with our AWARE algorithm is to be able to start to quantify the aggregate number of opportunities for an adversary, and help those agencies see that, so that they can see where they need to focus their efforts and reduce their attack surface,” he said.
And while 18 of the 24 CFO Act agencies were reporting their CDM program data up to the Federal dashboard in July, the reliability of that is still being improved. The agency had hoped all 24 CFO Act agencies would have reliable asset AWARE score by the end of September, according to its Fiscal Year 2020 target. Instead less than a quarter of the CFO Act agencies are on track to have a reliable AWARE score by the end of quarter four of the 2020 Fiscal Year, which ends on Sept. 30.
“The program expects a handful of agencies to achieve CDM data quality certification, indicating a reliable AWARE score, by the end of Q4 FY20,” a September program update states. “The process for remaining agencies will continue through, and is expected to complete in, FY21.”
According to the update’s appendix, “AWARE scores serve as a mechanism to prioritize and remediate system vulnerabilities.”
The agency’s primary goal, according to the update, is to mitigate 75 percent of “critical and high configuration-based vulnerabilities identified through high value asset assessments” by September 30, 2021. The agency mitigated 77 percent of vulnerabilities identified through cyber hygiene scanning within the designated timeline, but the mitigation of high value asset vulnerabilities during that timeframe fell short of the target.