In its June update to its agency goals under the President’s Management Agenda, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) revealed it is unlikely to meet goal on cyber hygiene scanning, intrusion detection, and high value asset vulnerability mitigation.
The department notes that 38 percent of significant vulnerabilities identified through cyber hygiene scanning were mitigated within the agency’s timeline in Q2 of fiscal year 2019—well below the agency’s target of 70 percent. CISA noted that the metric is below its target “due to misalignment with the requirement of agencies in [Binding Operational Directive] 15-01 … and the standard defined in the indicator, which is 15 days to mitigate a critical vulnerability and 30 days to mitigate a high vulnerability.” With the introduction of new standards that align with the agency’s goal, the metric may see improvement as agencies work to patch faster. The update also cited the government shutdown as a reason for slow mitigation, “as multiple agencies contacted CISA to report that those responsible for mitigating vulnerabilities were furloughed.”
CISA noted that it is also unlikely to meet its goal on mitigating vulnerabilities identified in assessments of high value assets within 30 days, as agencies are only mitigating around 33 percent in Q2 of FY2019, below CISA’s target of 45 percent. The metric is an improvement over Q1 of FY2019 at 29 percent, and in the explanation of the result, CISA noted that “this measure will continue to have high variance due to the variety and difficulty of vulnerabilities identified each quarter and the different maturity levels of assessed agencies.” In Q2, CISA identified seven critical vulnerabilities in agency high value assets, five of which were addressed within 75 days.
On EINSTEIN intrusion detection, CISA noted that its metric of the percentage of detected incidents attributed to nation-state activity is out of the agency’s control. In Q2, CISA attributed 14 percent of detected intrusion attempts to nation state activity, below the ‘target’ of 21 percent. “Detection is a bigger challenge than attribution,” the update adds.
A bright spot for CISA is the Continuous Diagnostics and Mitigation (CDM) program, where it likely to meet most of its goals. On the CDM Dashboard, 98 percent of agencies have an active data feed into the Federal dashboard, including all civilian CFO Act agencies, and nine percent of agencies are providing data on user access and privileges to the Federal CDM dashboard, a good start on the way to the goal of 42 percent of agencies. CISA is slightly behind on its goal for making CDM tools available to 100 percent of agencies, but noted that its final CDM DEFEND task order is likely to be awarded in Q1 of FY2020.