Agency Security Update Service (ASUS)

Mike BolgerKSC CIO

ASUS Data Collection

The ASUS Project collects Enterprise IT Security Data:» Patch Management – 80,000+ devices» Software Inventory – 80,000+ devices» Federal Desktop Core Configuration (FDCC) – 60,000+

devices» Network Vulnerability – 120,000+ devices» Network Inventory – 120,000+ devices

Data is stored in IT Security Enterprise Data Warehouse (ITSEC-EDW)» Provides centralized “one-stop-shop” for IT Security

Data

204/19/23

Continuous Monitoring / Reporting

3

Example Data

Continuous Monitoring / Reporting

4

Interactive website provides searchable reports

List ofVulnerabilitiesBy CenterOr SecurityPlan

Drill down to a list of Workstation/server withvulnerabilities

Continuous Monitoring

The Agency is focusing on expanded Continuous Monitoring in alignment to proposed FISMA changes» ASUS Team is currently providing Continuous

Monitoring for:• Patch Management• Software Inventory• Network Inventory• Network Vulnerabilities

» Developing automated methods to Continuously Monitor NIST 800-53 Controls (IT System Security Plans)

504/19/23

IT Security Risk-Based Reporting

Continuous Monitoring will feed NASA IT Security Risk Score» Provide overall Risk score for a Security Plan, Center

and the Agency» Helps focus workforce to problem areas» Puts focus on reducing risk, not just meeting metrics

6

Metric Reporting

Tells us that there IS avulnerability

Risk Based Reporting

Tells us how avulnerability couldAFFECT us if it was

exploited

Collaboration with other NASA projects

ASUS Project is working to add IT Security Data Sources» Incident data from the NASA SOC» Antivirus data from ODIN» DHCP data from IPAM» Application data from Agency Data Center Consolidation

(ADCC)

The ASUS Project is a preventative tool in NASA’s IT Security arsenal

704/19/23

Agency is moving to a new Patch Management Solution» Reached the potential of the PatchLink product» Selected product» Benefits:

• More robust Agent• Scalable to meet NASA’s complex architecture• Follows OVAL standards• Provides additional functionality

o “Agent on a USB Stick”o Network Inventory to locate machines missing an Agent

• Appliance – reduces costs and maintenance for the Agency

Patch Management Solution

804/19/23

Agency Data Center Consolidation (ADCC)

Collaborating with the Agency Data Center Consolidation (ADCC) Project» OMB has come out with the “Federal Data Center

Consolidation Initiative”» Goal is to reduce overall costs and energy consumption» ADCC is preparing to deploy an Inventory and

Application Mapping tool in all NASA Data Centers– Application Mapping = tells us what is required to move a

“service” (i.e. Tech Doc)

» ASUS team will be providing the technical expertise to coordinate the deployment of the automated tool across the Agency

904/19/23