FEMA FINDS A BETTER APPROACH TO SYSTEMS SECURITY
Hacking the Pentagon for patriotism and profit
The Defense Digital Service proves that bug-bounty programs can pay big dividends for government agencies
The Defense Digital Ser-
vice is charged with using private-sector talent and best practices to improve critical Defense Department systems — and hopefully modern- ize DOD’s IT mindset in the process. Hack the Pentagon, a bug-bounty program that was tested this past spring, did both.
DOD partnered with HackerOne, a San Francisco- based bug-bounty manage- ment startup. More than 1,400 hackers signed up, and the first bug was reported just 13 minutes after the program began. In all, 138 bounties were paid for con- firmed vulnerabilities in the five sites that were tested. Individual bounties ranged from $100 to $15,000, depending on the severity of the bug discovered.
The cost of the pilot was approximately $150,000, and Pentagon officials estimated that a traditional security audit to discover those same holes would have cost $1 million. Arguably more important than the money, however, was the policy
and planning work to make a government bug-bounty program feasible.
“We spent a tremendous amount of time with our legal team and all of the stakeholders across the departments to make sure
An aggressive push for improved authentication has resulted in savings, standardization and safer data
The Federal Emergency Manage-
ment Agency is expected to jump
into action during the nation’s worst crises and natural disasters — even those in its own online backyard.
So when federal agencies were shaken by the massive breach of Office of Person- nel Management records, FEMA officials moved quickly to safeguard their informa- tion with much-improved authentication.
“The outcome we are creating is interop- erability across federal, state, local, territo- rial and tribal governments [to] transform the way the agency responds and recovers from natural and man-made disasters,” FEMA CIO Adrian Gardner told GCN.
Last October, Gardner’s team began working with IBM Global Business Services to enable 76 of the agency’s high-priority systems to use personal identity verifica- tion cards and single sign-on capabilities to authenticate those accessing informa- tion on its systems.
Over the course of the six-month project, the group oversaw more than 70 development teams, multiple vendors, eight FEMA program offices, 10 regional
offices, and a wide and far-flung variety of deployments at various FEMA and
non-FEMA hosting facilities and cloud providers.
Even for an agency primarily tasked with handling major catastrophes, the tight turnaround, widespread geograph- ic coverage and involvement of so many
stakeholders made the project especially challenging. And there are restrictions on changing FEMA systems during active di- saster declarations, which added another degree of complexity.
“One of the many surprises was the amount of internal and external coordina- tion required to successfully implement the program in just one year,” Gardner said.
Indeed, reaching agreement on a set of requirements for a fixed-price contract, working through cultural differences and sustaining top-level support through- out the project were major obstacles, he added.
The results, though, have been sub- stantial. High-value systems are now at Level of Assurance 4, and employees have a standardized solution across the agency. The deployment was a major step forward in protecting data for FEMA, its partners and the disaster survivors it helps.
The new software assur- ance program has proved wildly popular, even beyond program developers’ expecta- tions. As part of its launch plan for the F3 service, DISA scheduled a series of market- ing presentations, handouts and webinars.
“Since they had no idea what kind of response might be expected, DISA scheduled the call for one hour and had a limited number of spaces available,” Farrell said. “Unexpectedly, the webinar
— Karen Epper Hoffman
was a big success, and all the connections into the webinar were taken.... A second we- binar was held the following week with equally positive response.”
With F3, DISA has made
it easy for Forge.mil users
to rapidly and affordably deliver dependable software, services and systems.
— Karen Epper Hoffman
42 GCN OCTOBER/NOVEMBER 2016 • GCN.COM