October 28, 2020 – Joint Committee on Cybersecurity, Information Technology and Biotechnology
Franco Cappa, Cybersecurity Advisor, Cybersecurity and Infrastructure Security Agency (CISA)
CISA: The Nation’s Risk Advisor
On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within DHS and established CISA. CISA is the pinnacle of national risk management for cyber and physical infrastructure.
CISA Mission and Vision
- Mission: Lead the collaborative national effort to strengthen the security and resiliency of America’s critical infrastructure.
- Vision: A nation with secure, resilient, and reliable critical infrastructure upon which the American way of life can thrive.
Critical Infrastructure Sectors: There are 16
- Chemical
- Communications
- Emergency Services
- Nuclear Reactors, Materials, and Waste
- Financial Services
- Information Technology
- Transportation Systems
- Government Facilities
- Food & Agriculture
- Health Care & Public Health
- Water & Wastewater Systems
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Energy
- Dams
A Wide Range of Offerings
Preparedness Activities:
- Information / Threat Indicator Sharing
- Cybersecurity Training and Awareness
- Cyber Exercises and “Playbooks”
- National Cyber Awareness System
- Vulnerability Notes Database
- Information Products and Recommended Practices
- Cybersecurity Evaluations
Response Assistance:
- Remote / On-Site Assistance
- Malware Analysis
- Hunt and Incident Response Teams
- Incident Coordination
Cybersecurity Assessments
Facilitated Cyber Security Evaluations
- Cyber Resilience Review (CRR)
- External Dependencies Management (EDM)
- Cyber Infrastructure Survey (CIS)
National Cybersecurity Assessments and Technical Services (NCATS) Evaluations
- Cyber Security Evaluation Tool (CSET)
- Cyber Hygiene Service (Network & Web Applications)
- Phishing Campaign Assessment
- Validated Architecture Design Review (VADR)
- Remote Penetration Testing (RPT)
- Risk and Vulnerability Assessment (aka “Pen” Test)
Cyber Resilience Review (CRR)
Purpose: The CRR is an assessment intended to evaluate an organization’s operational resilience and cybersecurity practices across 10 foundational cyber security domains.
Delivery: The CRR can be facilitated by a DHS cybersecurity professional or self-administered by organizations utilizing the SRR Self-package.
Output: The CRR provides organizations with a report detailing its capability and maturity in security management, and gaps against NIST CSF.
Scope: The CRR is a voluntary assessment that is available at no-cost to requesting organizations.
Cyber Infrastructure Survey (CIS)
The CIS Survey is an assessment of essential cybersecurity practices in-place for critical services within critical infrastructure organizations. The CIS is a structured, interview-based assessment focusing on over 80 cyber security controls grouped under five key surveyed topics. Participating organizations receive a cyber security “Dashboard” which allows them to:
- See their results compared against other members of their critical infrastructure sectors
- Review their results in context of specific cyber and physical threat scenarios, and
- Dynamically adjust the status of in place practices
Cyber Security Evaluation Tool (CSET)
The Cyber Security Evaluation Tool (CSET) is a no-cost, voluntary desktop stand-alone application that guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices. The tool helps organizations evaluate their cyber security posture against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner.
Cyber Hygiene: Vulnerability Scan
- Assess Internet accessible systems for known vulnerabilities and configuration errors.
- Work with organization to proactively mitigate threats and risks to systems. Activities include:
- Network Mapping
- Identify public IP address space
- Identify hosts that are active on IP address space
- Determine the O/S and Services running
- Re-run scans to determine any changes
- Graphically represent address space on a map
- Network Vulnerability & Configuration Scanning
- Identify network vulnerabilities and weakness
- Network Mapping
Penetration Testing (RVA & RPT)
Purpose: Perform external penetration testing and security services to identify risks and externally exploitable pathways into systems, networks and applications.
Scope: Organization / Business Unit / Network-Based IT Service
Information Sought: Network, Database, Application scope and/or access to be tested with various security tools.
Cybersecurity Training & Exercises
- CISA offers easily accessible education and awareness resources through the National Initiative for Cybersecurity Careers and Studies (NICCS) website.
- FedVTE is an online, on-demand training center that provides free cyber security training for U.S. veterans and federal, state, local, tribal, and territorial government employees.
- CISA’s National Cyber Exercise and Planning Program (NCEPP) develops, conducts, and evaluates cyber exercises and planning activities for state, local, tribal and territorial governments and public and private sector critical infrastructure organizations.
Information Sharing
- Automated Indicator Sharing (AIS) enables the bidirectional sharing of IOCs between the Federal Government and AIS partners in real-time by leveraging industry standards for machine-to-machine communication.
- Information Sharing and Analysis Centers (ISACs) and ISAOs are non-profit, member-driven organizations for facilitating sharing information between government and industry.
- Fusion Centers are state-owned and operated centers that serve as focal points in states and major urban areas for the receipt, analysis, gathering and sharing of threat.
CISA Mailing Lists and Feeds
- Alerts – timely information about current security issues, vulnerabilities, and exploits.
- Analysis Reports – in-depth analysis on new or evolving cyber threats.
- Bulletins – weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips – advice about common security issues for the general public.
- Current Activity – up-to-date information about high-impact types of security activity affecting the community at large.
Integrated CISA Watch
The mission of the CISA Central is to serve as a national center for reporting of and mitigating communications and incidents.
- Provide alerts, warnings, common operating picture on cyber and communications incidents in real time to virtual and on-site partners.
- Work 24×7 With partners to mitigate incidents (On-site partners include the DoD, FBI, Secret Services, Information Sharing and Analysis Centers and other DHS components and public partners)
Federal Incident Response
- Threat Response: Attributing, pursuing, and disrupting malicious cyber actors and malicious cyber activity. Conducting criminal investigations and other actions to counter the malicious cyber activity.
- Asset Response: Protecting assets and mitigating vulnerabilities in the face of malicious cyber activity, reducing the impact to systems and data; strengthening, recovering, and restoring services; identifying other entities at risk; and assessing potential risk to broader community.
Michael Leahy, Secretary, Maryland Department of Information Technology
Why is the ITMP written?
- Maryland Code: State Finance & Procurement Article § 3A-303
- The Secretary is responsible for carrying out the following duties:
- developing, maintaining, revising, and enforcing information technology policies, procedures, and standards;
(4) developing and maintaining a statewide information technology master plan that will:
(i) be the basis for the management and direction of information technology within the Executive Branch of State government;
State Technology Governance Framework
The ITMP provides the basis for the management and direction of IT within the executive branch of state government. DoIT helps IT plans, policies, and standards on behalf of the state.
- Updated Information Technology Policy Catalog
- State of Maryland Information Technology Security Manual
Organizational Goals and Strategic Objectives
- Provide IT Leadership for State Government
- Promote IT as a Strategic Investment
- Provide a Reliable, Secure, and Modern IT Infrastructure
- Create Measurable Improvements in the Cybersecurity Posture of the State
Q&A
Senator Susan Lee: What is your budget right now to modernize and accomplish all of these things?
Michael Leahy: We like every other agency have been looking for ways to save money because of the fiscal challenges due to the reduction of revenues. Our budget has actually not increased, we expect a significant decrease next year in the MITDP funding for additional projects. We’re going to reassess how we prioritize particular issues.
Senator Katie Fry Hester: Do you have a plan to fill a talent pipeline? Whether it’s increased hiring or increased staff payment. Do you have an ask of the legislature?
Michael Leahy: Yes we do have a plan. We will be talking to you about how the legislature can help us. Right now the plan includes us working very closely with the Department of Budget and Management, who establishes classification and compensation for all positions. We are rewriting the technology oriented positions descriptions. We are surveying locally and elsewhere with regard to what are the best practices for attracting people of talent. We are looking at recruiting nationally.
Delegate Sandy Bartlett: Is the Department of Labor requesting your help and what is being done for the simple process of getting a person to answer the phone?
Michael Leahy: This is a problem that has arisen in places other than Maryland. Because of the volume of calls daily with regard to unemployment insurance went up a thousand fold. We implemented a number of ways to create what became a virtual communication center. We are moving from telephone technology that has been in place since the 1990’s to a voice over IP system across the state. Each agency is doing this with our help but in their own time. Since you’ve brought this up to me I will be in touch with the secretary over there and offer her our help.
Senator Katie Fry Hester: Regarding cyber security. Are you able to provide any overview of what assessments you’ve completed so far?
Chip Stewart: We have a tool that we’re using that pulls a bunch of data both public data and using discovery tools on the inside to evaluate the posture of systems.
Michael Leahy: There are a number of ways we are monitoring the devices we control. We are looking into using what I’m going to call robotic process automation or AI to look for things that are out of the ordinary.
Senator Katie Fry Hester: Are you able to evaluate how agencies are doing in terms of best practices?
Chip Stewart: Looking at the CRR tool, I think that is likely a very good fit.
Senator Katie Fry Hester: Is MSDE on of the agencies that you work very closely with or is it one of the large agencies that is federated?
Chip Stewart: The answer is a little bit of both. We’ve been working with them over the past 24 months to bring them in. They are comprised of a bunch of subunits as well.
Senator Katie Fry Hester: Regarding IT modernization. Can you give us any status updates on our IT modernization across the state?
Michael Leahy: I think there are three things we have to get agreement on before we can talk about enterprise modernization. We have to get people in government to be more data centric. As things operate today, we are more focused on the hardware and software than on what information we have that’s available to use and how we are using it. We have significant technology debt, and it’s not just Maryland it is many states. The second part of this goes to what is our philosophy. Our ability to do things virtually and in the cloud I believe is the way to go.