CISA’s DDoS Cyber-Attack Mitigation Guidance Could Impact Agency Contracting

The Cybersecurity and Infrastructure Security Agency (CISA) has released operational guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services.

CISA’s Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance is intended to help agencies prioritize DDoS mitigations based on the impact to their mission and agency reputations, as well as help agencies make risk-informed decisions on how to effectively leverage available DDoS mitigation services and resources provided by contractors and services providers.

DDoS Impact Analysis and Risk Mitigations

The first section of the guidance provides agencies with a structure to assess the impact to their organization of a successful DDoS attack against various web services, including impacts on public transactions, public access to information, government and industry partnerships, day-to-day agency operations and the reputational impact of degraded website availability.

The second section compares various approaches to mitigating DDoS attacks on web services to aid agencies in selecting the appropriate mitigation methods. The mitigation methods covered by CISA include Content Delivery Networks (CDN); Internet Service Providers (ISP) and upstream providers; Cloud Service Provider (CSP) hosted services; and on-premises hardware and virtualized solutions. For each mitigation method CISA raises related technical considerations, cost factors and “next steps” for agencies to consider in their evaluation.

Federal DDoS Attacks in FISMA Context

While I am not a practicing cybersecurity technician, from reviewing cybersecurity incident metrics for fiscal year (FY) 2022 in the latest Federal Information Security Modernization Act of 2014 (FISMA) report – and the threat vector definitions made by the U.S. Computer Emergency Readiness Team (US-CERT) – it appears that DDoS attacks may fall potentially into a multiple attack vectors: Attrition – Employs brute force methods to compromise, degrade, or destroy systems, networks, or services; Web – An attack executed from a website or web-based application; or Multiple Attack Vectors – An attack that uses two or more vectors in combination.

In the most recent FISMA report covering FY 2022, Attrition and Multiple Attack Vectors each accounted for 0.6% of reported attacks, and Web accounted for 8%. It is possible that some agencies may have tallied DDoS attacks into the Other/Unknown threat vector category (41%), where the attack method does not fit into any other vector or the cause of attack is unidentified, but that seems unlikely to me, given the widespread awareness of these types of attacks.

While these DDoS attacks may not make up the largest category of threat vectors by volume, they certainly represent a persistent and highly impactful threat to federal agencies. It this context, it is not about volume, but impact.

Contractor Implications

For each of the mitigation methods noted above – CDN, ISP/upstream providers, CSP/hosted services and on-premises solutions – CISA’s advice to agencies has implications for the solutions they procure and existing and future contracts.

In assessing their CDN needs and current resources, CISA advises agencies to evaluate DDoS mitigation capabilities they may have available with existing agency CDN services and the associated costs, and to modify contracts as appropriate to incorporate DDoS-related CDN services.

In assessing their ISPs and upstream providers, CISA advises agencies to understand the DDoS protection capabilities that are included in their existing contracts and select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. CISA also advises agencies to update contracts with their providers to include provisions where manual activation of mitigations are required (vs. always- on) and situations where additional fees will be incurred.

In assessing CSPs and hosted services, CISA advises agencies to understand which DDoS protections (if any) are included in existing CSP contracts or are available from their current providers. Like their recommendations for ISP contracts, CISA advises agencies to update contracts to address manual activation of mitigations and any additional fees for traffic surges, etc.

In assessing on-premises hardware or virtualized solutions, CISA expressed concern that these solutions do not have sufficient capacities to provide effective DDoS mitigations and should therefore be used for agency websites with the lowest impact if attacked. CISA advises agencies to work with their hardware vendors to understand any protections and/or limitations in their products/services and all technical and contractual nuances to these offerings. CISA also advises agencies to update contracts to address manual activations and additional fees, etc.

Industry providers who are supplying the above solutions to federal agencies would benefit from proactively engaging with their customers to aid in their DDoS risk evaluation and mitigation processes. Doing so makes good business sense and could foster a partnership atmosphere while building future opportunities.