Categories  Cyber Security

Northrop Grumman $189M for Host Based Security System (HBSS) program

Looking to continue improving cybersecurity across a range of Department of Defense Networks, the Defense Information Systems Agency (DISA) awarded a large task order to Northrop Grumman to serve as the prime integrator on the Host Based Security System (HBSS) program. The deal includes a three-year base period, with two options, potentially worth $189 million.

HBSS is a flexible, commercial-off-the-shelf (COTS)-based program that monitors, detects, and counters against known cyber-threats to the DoD Enterprise in accordance with the Enterprise-wide Information Assurance and Computer Network Defense Solutions Steering Group.

HBSS, a software suite that includes a variety of protection and network monitoring tools, is required on all DoD networks following a 2007 mandate, and the current deal will include protection for a wide range of devices such as phones and tablets, company spokesmen said.
DISA serves as the lead organization providing program oversight for DoD for the HBSS solution.
Northrop will be working with McAfee Security as the prime subcontractor on the program. The two have been providing HBSS software to the U.S. Air Force since 2008, and will share the larger responsibility of covering a variety of both classified and unclassified networks.
“We‟ve been at the forefront of this activity since several years back,” said Doyle Choi, vice president of business development for defense enterprise solutions at Northrop.
Choi said that the contract will allow the company to improve its HBSS offering in the coming years.
“We‟re enabling additional capabilities as the product matures through its life cycle,” he said. “This is not a static mission. It‟s constantly changing, and so we have to adapt to that.”
Although the HBSS program has been around since 2005, with BAE Systems taking the helm at an earlier stage, the recent emphasis has been on new devices, said Tom Conway, director of business development for McAfee.
“They really want to and they‟re feeling a pressure to roll out more mobile devices,” he said.
That interest follows the rapid growth of devices used by defense employees, Conway said.
“A few years ago, we had an average of 0.7 end-user devices. It‟s now above three for every employee.”
Conway said the software solutions McAfee would be providing with Northrop will aim for flexibility, including a variety of tools that network administrators can employ.
“Think of it as a Swiss army knife,” he said.

Sources Defense News, DoD, McAfee

HBSS – Host Based Security System –  (From Wikipedia, the free encyclopedia)

The Host Based Security System (HBSS) is the official name given to the Department of Defense (DOD) commercial-off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect and counterattacks against the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc’s ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).
Seeing the need to supply a comprehensive, department-wide security suite of tools for DOD System Administrators, the ESSG started to gather requirements for the formation of a host-based security system in the summer of 2005. In March 2006, BAE Systems and McAfee were awarded a contract to supply an automated host-based security system to the department. After the award, 22 pilot sites were identified to receive the first deployments of HBSS.[1] During the pilot roll out, DOD System Administrators around the world were identified and trained on using the HBSS software in preparation for software deployment across DOD.
On October 9, 2007, the Joint Task Force for Global Network Operations (JTF-GNO) released Communications Tasking Order (CTO) 07-12 (Deployment of Host Based Security System (HBSS)) mandating the deployment of HBSS on all Combatant Command, Service and Agency (CC/S/A) networks within DOD with the completion date by the 3rd quarter of 2008.[2] The release of this CTO brought HBSS to the attention of all major department heads and CC/S/A’s, providing the ESSG with the necessary authority to enforce its deployment. Agencies not willing to comply with the CTO now risked being disconnected from the DOD Global Information Grid (GIG) for any lack of compliance.
Lessons learned from the pilot deployments provided valuable insight to the HBSS program, eventually leading to the Defense Information Systems Agency (DISA) supplying both pre-loaded HBSS hardware as well as providing an HBSS software image that could be loaded on compliant hardware platforms. This proved to be invaluable to easing the deployment task on the newly trained HBSS System Administrators and provided a consistent department-wide software baseline. The DISA further provided step-by-step documentation for completing an HBSS baseline creation from a freshly installed operating system. The lessons learned from the NIPRNet deployments simplified the process of deploying HBSS on the SIPRNet.
Significant HBSS Dates
• Summer 2005: ESSG gathered information on establishing an HBSS automated system
• March 2006: BAE Systems and McAfee awarded contract for HBSS establishment and deployment
• March 27, 2007: The ESSG approved the HBSS for full-scale deployment throughout the DoD enterprise
• October 9, 2007: The JTF-GNO releases CTO 07-12
• November, 2009: The Air Force awarded Northrop Grumman, Inc. with the deployment of HBSS on the SIPRNet[3]
HBSS Components
Throughout its lifetime, HBSS has undergone several major baseline updates as well as minor maintenance releases. The first major release of HBSS was known as Baseline 1.0 and contained the McAfee ePolicy Orchestrator engine, HIPS, Software Compliance Profiler (SCP), Rogue System Detection (RSD), Asset Baseline Manager (ABM), and Assets software. As new releases were introduced, these software products have evolved, had new products added, and in some cases, been completely replaced for different products.
As of January, 2011, HBSS is currently at Baseline 4.5, Maintenance Release 2.0 (MR2). MR2 contains the following software:
How HBSS Works
The heart of the HBSS is the McAfee ePolicy Orchestrator (ePO) management engine. The engine is responsible for:
• Providing a consistent front-end to the point products
• Consolidating point product data for analysis
• Presenting point product reports
• Managing the point product updates and communications
• Ensure application patch compliance

McAfee Point Products
McAfee considers a point product to be the individual software applications controlled by the ePO server. The HBSS point products consist of the following:
• Host Intrusion Prevention System (HIPS)
• Policy Auditor (PA)
• Assets Baseline Module (ABM)
• Rogue System Detection (RSD)
• Device Control Module (DCM)
• Asset Publishing Service (APS)

Host Intrusion Prevention System
The Host Intrusion Prevention System (HIPS) consists of a host-based firewall, HIPS, and application-level blocking consolidated in a single product. The HIPS component is one of the most significant components of the HBSS, as it provides for the capability to block known intrusion signatures and restrict unauthorized services and applications running on the host machines.
Policy Auditor
Policy Auditor (PA) was introduced in HBSS Baseline 2.0. PA is responsible for ensuring compliance with mandates such as PCI DSS, SOX, GLBA, HIPAA, FISMA, as well as the best practice frameworks ISO 27001 and COBIT.[4]
Assets Baseline Module
The Assets Baseline Module, released in Baseline 1.0 as a Government off-the-shelf (GOTS) product, is used to address system baseline configurations and changes in order to respond to Information Operations Condition (INFOCON) (INFOCON) changes necessary during times of heightened security threats to the system. During the initial deployment stages of HBSS, the Assets Module was juvenile and lacked much of the products intended capabilities. However, the application has fully evolved into a robust and feature packed version capable of handling the original software’s design goals. ABM was originally known as Assets 1.0. It was upgraded to Assets 2.0 in HBSS Baseline 2.0. Later it was called Assets 3000 in HBSS Baseline 3.0.
Rogue System Detection
The Rogue System Detector (RSD) component of HBSS is used to provide real-time detection of new hosts attaching to the network. RSD monitors network segments and reports all hosts seen on the network to the ePO Server. The ePO Server then determines whether the system is connected to the ePO Server, has a McAfee Agent installed, has been identified as an exception, or is considered rogue. The ePO Server can then take the appropriate action(s) concerning the rogue host, as specified in the RSD policy. HBSS Baseline 1.0 introduced RSD 1.0. RSD was updated to 2.0 in HBSS Baseline 2.0.
Device Control Module/Data Loss Prevention
The DCM component of HBSS was introduced in HBSS Baseline 2.0 specifically to address the use of USB devices on DOD Networks. JTF-GNO CTO 09-xxx, Removable Flash Media Device Implementation Within and Between Department of Defense (DOD) Networks was released in March, 2009 and allowed the use of USB removable media, provided it meets all of the conditions stated within the CTO. One of these conditions requires the use of HBSS with the DCM module installed and configured to manage the USB devices attached to the system.[5] The DCM was renamed to the Data Loss Prevention (DLP) in HBSS Baseline 3.0 MR3.
Assets Publishing Service
The Assets Publishing Service (APS) of HBSS was introduced in HBSS Baseline 4.0 to allow for enclaves to report on asset information to a third-party DoD entity in a standards-compliant format. It adds contextual information to HBSS assets and allows for improved reporting features on systems relying on HBSS data.

Obtaining HBSS
According to JTF-GNO CTO 07-12, all DOD agencies are required to deploy HBSS to their networks. The DISA has made HBSS software available for download on their PKI protected patch server. Users attempting to download the software are required to have a Common Access Card (CAC) and be on a .mil network. The DISA provides software and updates free of charge to DOD entities.
Additionally, HBSS Administrators require the satisfactory completion of HBSS training and are commonly appointed by the unit or section commander in writing.
Learning HBSS
In order to receive and administer and HBSS System, System Administrators must satisfactorily complete online or in class HBSS Training as well as be identified as an HBSS Administrator. Online training takes 30 hours to complete while in class training requires four days, excluding travel. An advanced HBSS class is also available to HBSS Administrators wishing to acquire a more in-depth knowledge of the system. HBSS online and in class training is managed by the DISA and information pertaining to these training classes can be obtained at the DISA Information Assurance Support Environment (IASE) website.
HBSS Support
The DISA Field Security Office (FSO) provides free technical support for all HBSS Administrators through their help desk. DISA has three tiers of support, from Tier I to Tier III. Tier I and Tier II support is provided by DISA FSO, while Tier III support is provided by McAfee. DISA FSO

1. ^ Host Based Security System, http://www.disa.mil/hbss/index.html, 3/13/2010
2. ^ Host Based Security System HBSS), http://www.afcea.org/events/landwarnet/08/infoexchange.asp, 3/13/2010
3. ^ Henry Kenyon, Northrop Grumman Wins Air Force SIPRNET Contract, http://www.afcea.org/signal/signalscape/index.php/2009/11/northrop-grumman-wins-air-force-siprnet-contract/, 3/13/2010
4. ^ McAfee Policy Auditor. http://www.mcafee.com/us/enterprise/products/system_security/clients/policy_auditor.html,3/14/2010
5. ^ Tom Conway, DOD Can Safely Use USB, http://blogs.mcafee.com/enterprise/public-sector/dod-can-use-usb-securely, (Security Insights Blog), 3/9/2010
6. ^ IA Tools, http://iase.disa.mil/tools/index.html, 3/14/2010

Comments are closed.