Agencies are rolling out aspects of the Continuous Diagnostics and Mitigation (CDM) Program with varying degrees of speed and success, but the inherent benefits of the program are not being questioned.
Tuesday’s Congressional hearing on CDM provided a glimpse of both sides of the spectrum: agencies that are already reaping cybersecurity gains, and those that have encountered logistical challenges in their rollouts. Regardless of where agencies sit in enacting CDM’s phases, there seems to be agreement that the tools are aiding agency security prerogatives.
CDM aims to make network visibility and control a standard for all agencies–too many agency IT leaders do not have a good picture of what’s on their network. Kevin Cox, CDM program manager at the Department of Homeland Security, pointed out a noteworthy statistic.
“We found a 75 percent increase in terms of the total number of assets [agencies have on their networks] once we got automated tools into the environment,” he said.
With greater knowledge of what’s connected, the National Protection and Programs Directorate (NPPD) at DHS has more confidence in managing threats, compared to the previous system of agency self-reporting.
“CDM is changing this model, enabling NPPD to immediately view the prevalence of a given software product or vulnerability across the federal government,” Cox said. “The real key for us is to get from a reactive stance to a proactive. We want to get out in front of the threat.”
In addition to giving DHS the monitoring tools to serve as an effective agency watchdog, CDM is also inspiring confidence in the top dogs at the agencies themselves.
“I’m very confident we know who and what is on our networks,” said David Garcia, CIO at the Office of Personnel Management (OPM). “I don’t think you can ever get to 100 percent, but I’m as confident as I can be in the defenses we’ve put in place and a large portion of that has been hand-in-glove with the CDM program.”
The massive OPM breach in 2015 that compromised millions of Federal worker records put the impetus on the agency to make radical changes to its network permissions, architecture, and defense platform. Garcia was happy to report that crisis really did initiate a bit of a culture change.
“We have 100% PIV authentication for network access,” he said. “We have micro-segmentation. You can’t get onto OPM’s networks unless we know you’re on.”
OPM was lauded for the quick turn-around, and being able to initiate CDM’s rollout of network sensors and agency dashboards has provided myriad benefits.
“We were able to see across the spectrum,” Garcia said. “We can see items that are requiring patches. We can see operating systems at our end-of-life and we can see the progress we made with our patch updates as well.”
The hearing also gave notice that adoption of CDM might be more complicated for some agencies. Max Everett, CIO at the Department of Energy (DoE), was candid in acknowledging his agency’s shortfalls.
“Frankly, we’re behind because we have focused on a very small part of the department,” Everett said. “Where we have CDM installed is limited at this point.”
Expecting the same progress on CDM from all agencies might be a tough ask for an agency like DoE, with its industrial control systems and complex networks. But the hearing called attention to the vital national security interest of securing the power grid run by those systems.
Thankfully, there are avenues to make change. Everett took his post in July 2017, and says he’s empowered to make investments necessary to actualize CDM goals.
“I report directly to the secretary and deputy secretary,” Everett said, in keeping with FITARA efforts to promote CIO empowerment. “[They have] made cybersecurity a priority not only for our internal networks but also in our role as a sector-specific agency to the energy sector.”
DHS is clearly aware that implementations vary and needs can change quickly. Cox discussed how the “CDM Defend” acquisition strategy allows for constant retooling.
Agencies can execute different tasks in parallel, for example, working on phase three or four, while at the same time adding a tool or process into phase one or two, Cox explained.
CDM Defend also helps meet evolving procurement needs with long-term task orders of five to six years. An integrator can meet DHS requests for different types of technologies more quickly than if they had to re-compete a new contract each time.
The recognition that getting agencies’ network protection through all four phases of CDM will require guidance and oversight is shared by appropriators, it seems, because DHS is footing the bill.
“We fund the foundational year of the licensing, plus the first maintenance year, then we transition the maintenance of those tools over to the agencies,” Cox said, acknowledging the guiding hand of DHS in early CDM adoption. “In those first two years we also provide integration support to help with the deployment of those tools.”
So while the task may be taller from some agencies, the tools and support are in place to tackle the wide range of their needs.