The Federal Network Resilience (FNR) Cybersecurity Assurance (CA) branch employs a collaborative approach with the Federal Civilian Executive Branch, to measure, monitor, and validate cross-government initiatives and to assess cyber risks.
CA assesses the state of operational readiness and cybersecurity risk of unclassified federal networks and systems. CA proactively engages with departments and agencies to improve their cybersecurity posture by assessing capabilities, identifying vulnerabilities, evaluating risks, and providing prioritized guidance that optimizes the remediation activities needed to close capability gaps, limit exposure, reduce exploitation, and increase the speed and effectiveness of cyber attack responses.
CA seeks to provide services which promote a healthy, secure and resilient IT infrastructure across the federal enterprise’s computer networks and systems; measure the implementation of mandatory cybersecurity capabilities; and provide an enterprise view of the federal government’s cybersecurity posture.
Benefits to the Federal Government
CA benefits the federal government by providing cost savings and cross-government consistency through centralization of information system security services. CA services and activities include:
- promotion of awareness of agency compliance with cybersecurity responsibilities;
- collection of objective data that validates previous, and supports ongoing, improvements by the agency;
- establishment of an enterprise view of the federal government’s cybersecurity posture, thus enabling policy-makers to develop sound cybersecurity policy and risk mitigation strategies;
- increasing confidence that agencies are complying with published cybersecurity requirements; and
- reducing government spending on cybersecurity by leveraging our resources in engagements across Federal Civilian Executive Branch agencies, thus maximizing the return on investment in those resources by DHS and eliminating the need for similar investments by agencies.
Benefits to Individual Agencies:
CA benefits individual agencies by:
- satisfying agency requirements stemming from the FISMA, Office of Management and Budget Memos, and the Comprehensive National Cybersecuity Initiative;
- identifying capability gaps that help agencies recognize opportunities for improvement and assist agencies with prioritization of remediation activities and justification of budget requests;
- evaluating the overall effectiveness of an agency’s security program;
- clearly articulating and quantifying agency risk;
- providing access to expertise and resources not readily available and at no cost to the agency; and
- providing third party risk assessments at no cost to the agency to assist with FISMA compliance.
Operational Assurance Section
The Operational Assurance Section (OAS) works in coordination with agencies to conduct proactive blue-team assessments that validate their technical capabilities (tools and technologies) and operational readiness (people, processes, and security program maturity). OAS has two functions:
- Cybersecurity Capability Validations (CCV) assessments are conducted collaboratively with an agency to assess and validate their implementation of cybersecurity capabilities required by Federal laws, policies and initiatives.
- Cyber Hygiene activities assess Internet accessible federal civilian systems for known vulnerabilities and configuration errors. As potential issues are identified CA works with impacted agencies to proactively mitigate threats and risks to their systems. Activities include:
- Network Mapping
- Vulnerability Scanning
- Configuration review and Error detection
Risk Evaluation (RE) conducts red-team assessments that combine national threat and vulnerability information with data collected and discovered through onsite testing activities at the assessed agency to provide tailored risk analysis reports with actionable remediation recommendations prioritized by risk. Service capabilities include:
- Network (wired and wireless) mapping and system characterization
- Vulnerability scanning and validation
- Threat identification and evaluation
- Social engineering
- Web application testing
- Database scanning and review
- Operating system configuration review
- Incident response testing.
Analysis and Reporting
The data collected through OAS and RE activities is used to produce actionable reports for departments and agencies that have been assessed and is also anonymized, aggregated, and normalized in order to create summary dashboards and reports for trending and visualization.