DHS piloting agile cyber acquisition, CDM for cloud, CISO says
The Department of Homeland Security is developing a new acquisition management directive tailored around agile development to provide more flexibility to its cybersecurity operations, CISO Jeffery Eisensmith said Thursday.
The model is currently being piloted to help iteratively bake in the security requirements to software solutions at the same time as its development and operations, commonly known as DevOpsSec, Eisensmith said at the Consortium for IT Software Quality’s Cyber Resilience Summit as part of Washington DC CyberWeek
“You look at one of the biggest impediments we have, and it was the acquisition piece,” he said. “You can’t use an aircraft carrier acquisition style to buy agile work. If you spend a year and a half on requirements and about two-thirds of the [outsourced product development] by the time you get to your first year, it just doesn’t make sense.”
So Eisensmith said his team approached DHS with an idea: Let them create a new acquisition pilot without a pilot policy and experiment with how to make it work with the iterative process of agile development.
“We knew that the acquisition management directive for DHS to do software purchases was one that didn’t support the agile methodology, so after a lot of work and pleading and cajoling and generally begging, we got management to say, ‘Fine, we’ll let you try something new,’” he explained.
The CISO said the emerging program is still being flushed out, but he added that it provided the agency with more speed and flexibility in trying to decide the products it wants to deploy.
“The big difference is that the light products are being brought before the acquisition board on a much more frequent basis, which is what you want to do,” he said. “So far, we’ve had great success with that.”
Eisensmith also spoke about the benefits of shared services in deploying cybersecurity options for smaller agencies, a key component of the Trump administration’s cybersecurity executive order.
He said that the continuous diagnostic and mitigation program’s group F task order would soon being offering smaller agencies cloud-based cybersecurity defenses.
“When you talk about cybersecurity, it’s not a fair fight if you are a small or medium or micro-organization. You are just going to get creamed,” Eisensmith said. “But shared resources, group F, DHS is standing up a cloud of CDM defenses that are going to be available for smalls and micros, that’s a rock star idea that’s coming to a government near you soon.”
Small Business Administration CIO Maria Roat referenced a CDM cloud program that her agency is working on in September, saying that the agency was the first to attempt the application and was on track to complete its first phase of development by October.