The innovation: Deploying continuous automated monitoring to radically reduce the vulnerability of confidential citizen health data, with the added innovation of generating competition among contractors to improve security.
WASHINGTON DC, October 30, 2012 - The Centers for Medicare & Medicaid Services (CMS) has won a 2012 U.S. National Cybersecurity Innovation Award for using continuous automated monitoring to protect confidential citizen health data against theft and alteration.
CMS manage nearly 200 data centers, processing claims and payments with a value of over $800 billion each year for medical services rendered to over 100 million program beneficiaries and recipients. The vast majority of CMS confidential citizen data are stored and administered by a complicated network of 38 contractors across nearly 200 sites, obliging CMS to educate, train, and guide each of these contractors to produce and make effective use of cybersecurity information.
CMS designed a process to leverage the data collected internally, creating an agency-wide, proactive risk-reduction program to continuously improve security across their network of contractors and data centers. CMS also developed and implemented a system that ingests data collected from sites, prioritizes the findings, and then creates easily interpreted reports to help system owners take the highest value mitigation steps required to rapidly and efficiently remediate the most serious cyber security weaknesses.
To effectively reduce risk across the widely distributed network of sites, CMS first developed a process to assess the relative security of each datacenter and normalized these security scores across the variety of security tools providing the feeds. The resulting product is a single, cohesive, apples-to-apples scoring solution that pinpoints critical risks, provides remediation information, and creates visibility in a manner that drives rapid remediation responses. CMS demonstrated initial success with this system in 2010 by developing a vulnerability risk scorecard and letter grading system to foster healthy competition among the contractors. Through this program, CMS reduced the average host risk scores at two high-risk data centers by over 68% between July 2010 and January 2011.
By creating a positive competitive spirit, CMS motivated contractors to succeed in reducing risk across CMS's entire nationwide system. The lessons learned by each contractor during this process were shared to help sister programs achieve similar results at a minimal incremental cost, and CMS has since applied this repeatable and proven approach to its most visible system, the newly created Affordable Care Act Health Insurance Exchanges.
The annual U.S. National Cybersecurity Innovation Awards recognize initiatives by companies and government agencies that contribute to significant cyber risk reduction, have not been deployed effectively before in a similar fashion, can be scaled quickly to serve large numbers of people, and should be supported and adopted quickly by many other organizations. Nominators include senior U.S. government officials involved with cybersecurity as well as leaders from major cybersecurity Information Sharing and Analysis Centers. Corporations and individuals may also nominate innovations. For the 2012 awards, more than 30 nominations were received and nine were selected. The panel of judges for the 2012 awards is described below.
Sameer Bhalotra served as White House Senior Director for Cybersecurity, leading the national identity management and continuous monitoring initiatives. He also served as the principal cybersecurity staffer for the Senate Intelligence Committee, which oversees the cyber budgets of the National Security Agency and the other intelligence agencies.
Tony Sager's stellar career at the National Security Agency spanned 34 years. He headed the Systems & Network Attack Center, oversaw all Red and Blue Team projects, created and headed security product evaluation teams, helped guide the agency's top talent development programs, served as founding director of the Vulnerability Analysis & Operations Group (comprised of 700 of the NSA's top technical cybersecurity specialists), and was the Chief Operating Officer for the Information Assurance Directorate.
Asheem Chandna is the dean of venture capitalists in the cybersecurity field. As a partner at Greylock since 2003, he has helped create and grow multiple security technology businesses to market-leading positions, and successfully merged several into larger companies. He also serves on the panel of judges for the Wall Street Journal Global Technology Innovation Awards.
Alan Paller is Director of Research at the SANS Institute, where he oversees an international search for people and organizations that have found important ways to reduce the risk posed by cyber threats. He also oversees the Internet Storm Center and the annual initiative to determine the seven most dangerous new attack vectors. He co-chairs the DHS Task Force on Cyberskills and the FCC Working Group on Cybersecurity Best Practices in the telecommunications industry.
Director of Research
(301) 951-0102 x108