Following the Cybersecurity Executive Order, security professionals are focusing on risk management frameworks, and some agencies are turning to the Continuous Diagnostics and Mitigation (CDM) Program.
“Security is not something that you buy, it’s something that you do,” said Matt Conner, chief information security officer and director of the cybersecurity office at the National Geospatial-Intelligence Agency.
Conner said that security requires the cooperation of the senior officials as well as every agency employee.
“When I talk to the director…he wants to know from an agency perspective, where are we,” Conner said.
Agencies are moving toward an enterprise security structure to ensure the cybersecurity strength of the agency rather than focusing on specific small networks. The Navy re-prioritized $300 million of its budget in 2014 in order to address cyber resiliency.
“Fortunately, we didn’t have to explain this to our seniors because they get it, and that makes a huge difference,” said Thresa Lang, deputy director of the Navy Cybersecurity Division.
The Navy could not to join the CDM program because it’s only offered to executive branch agencies, but its risk management program complements the work that other agencies are doing.
“I see very similar types of cooperation in the executive agencies,” Lang said.
The first phase of CDM required agencies to map their networks to find out the scope of what they would need to protect and defend in the next phases. James Quinn, lead systems engineer for the CDM Program at the Department of Homeland Security, found that Federal devices were underreported. DHS estimated that the agencies would find about 2 million assets, but they ended up finding about 4 million.
“Agencies should have knowledge of all IP addressable devices,” Quinn said. “The attack surface was much larger than that so the consciousness had to be much larger.”
CDM offered a variety of technological solutions in phase 1 and ended up changing the way it approved solutions in order to offer even more competitive products for agencies to meet their goals, according to Quinn.
(Phase 2 asks which persons are on a network; phase 3 examines what information is getting in through a network; and phase 4 deals with data protection capabilities.)
The Department of Justice is moving on to phase 3 of CDM. Brian Depasse, assistant director of cyber engineering, architecture and identity management at DOJ, said that CDM has matured quickly compared to the size of the program.
Depasse said that CDM has motivated DOJ to do additional planning and prioritizing to ensure that the agency is meeting its security goals. Depasse also said that it helps that CDM isn’t an unfunded mandate. It instead gives agencies a solution that they can use without trying to find the money within their limited IT budgets.
“We’re actually able to get somewhere,” Depasse said.