The First Step in Cybersecurity: Know What You Have

You’ve reached an archived blog post that may be out of date. Please visit the blog homepage for the most current posts.

One of the most fundamental challenges that hampers effective federal cybersecurity is that many federal agencies simply do not know what IT assets they have on their networks, a senior federal cybersecurity official said at a recent conference.

Jim Quinn, lead systems engineer for the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, discussed this problem at an Aug. 19 conference on CDM presented by FCW:

“CDM is a complex program. It would have been nice if we could have defined everything all in the beginning, but sometime complex problems require decomposition. Ours got decomposed into basically three phases which were really to address three different aspects or problems.

The first is you’ve got to know what’s on your network. I know this will come as a total surprise to everybody, but, you know what, if you ask people, ‘How many machines do you have? What’s your inventory?’ it’s amazing that you can’t get an answer!

“Of course, the justification we have is, if everyone had that answer we could just skip Phase 1 and we could have just started on Phase 2.”

Phase 1 of the DHS CDM program is focused on deploying tools and sensors that will inform federal IT managers what assets they have on their networks. (Later phases of the program focus on providing visibility into who is on the network and then on what is happening on the network and how to respond to incidents that occur.)

This point by Quinn is so fundamental to the federal government’s cybersecurity challenge. In fact, he goes on to say that this notion of knowing what is on your network is one of “a few core concepts” upon which the CDM program rests.

“The first [of these core concepts] is knowing what you have – knowing your actual state. So there’s a lot of emphasis on getting tools and sensors and other things that allow you to discover what you really have.

“The second part is really to go to the corner of getting [your] desired state. Have you formulated policies that say, ‘Where do you want to take your actual state to in order to be able to improve your security posture?’”

In other words, the strategy of the CDM program is to have agencies obtain an in-depth understanding of their current state of cybersecurity, beginning with complete visibility into their IT asset inventory. Once in place, agencies then must chart a course, based on sound risk-management methodologies, to get to their desired cybersecurity posture.

The problem is that this first step of “knowing what you have” presents a major challenge for many federal managers. For one thing, they lack effective enterprise-wide tools that can integrate and synchronize the plethora of silo-based inventories they may track and manage. This leads to huge gaps in visibility.

Some federal managers are often surprised to discover that, once they do deploy a robust IT asset discovery solution and gain that needed visibility into their networks, they find numerous IT assets on their networks that have long passed their end-of-support and end-of-life dates and have become dangerous security vulnerabilities.

Another challenge is that the inventory of assets living on federal networks is exploding due to the constantly evolving and expanding market of mobile and other IP-enabled devices we refer to today as the “Internet of Things.” That means that today’s IT asset discovery and monitoring solutions must be constantly updated with the latest market intelligence in order to keep pace.

The result is that many federal IT managers simply don’t have the tools they need to obtain this necessary visibility into their IT assets. This not only translates into increased security risk and hampers CDM progress, it also frustrates the ability to execute major IT initiatives, such as the Federal Data Center Consolidation Initiative (FDCCI); Cloud First; Software License Optimization; and Federal IT Acquisition Reform Act (FITARA). In other words, you can’t manage and protect what you can’t see.

Agencies are solving this challenge through a suite of solutions developed by BDNA and anchored on BDNA TechnopediaTM, the world’s largest and most comprehensive repository of market intelligence on enterprise software and hardware. These solutions unify IT data sets and then enrich the asset data with detailed market information, such as End-of Life (EOL) dates. This unprecedented visibility into IT assets is providing agencies with key intelligence as they implement continuous monitoring, configuration management, data center consolidation, software licensing, procurement planning, compliance, and EOL and patch management. With comprehensive IT asset data, agencies can ensure that all of their hardware and software is secure, up to date, and operating at peak efficiency to support government missions.

Find out more

For more information call 650-625-9530 or visit to learn more about how BDNA can transform your enterprise technology data.