Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox said today that the program’s mission has mostly continued without a hitch through the COVID-19 pandemic, while also serving to better inform the Cybersecurity and Infrastructure Security Agency (CISA) and Federal agencies about the security implications of maximum telework.
“We’ve been working closely with all our agencies and our CDM systems integrators to make sure that we understand the risks associated once the COVID-19 pandemic set in, and then working to make sure we can continue to do our important work of CDM to help make sure that the agencies’ networks are protected and that the data that’s managed day to day is protected,” Cox said at MeriTalk’s CDM Central: Tales from the Frontlines virtual event.
“We’ve worked very closely with each agency and with our systems integrators to ensure that various [CDM] work efforts can continue forward,” he said. “There’s been a couple cases where agencies have gotten pulled off on other tasks tied to COVID, but overall all of our CDM efforts have continued forward unabated.”
“We have worked to understand any new risks that the agencies have and things that we as a program want to look at going forward to ensure that as agencies continue with a telework or remote work posture that we can help support that,” he said. “And then just in general wherever they have data, whether it is on-prem or out in the cloud that we can continue to help ensure that that data is protected, and make sure that we’re continuing to get our capabilities in place.”
“We’re working within CISA and with our industry partners to understand what are best practices that others are following, to ensure that we can continue to have good communications with all of our partners, and more importantly, potentially, is that we continue to make progress in in protecting our agencies and helping them really get the right technologies in place and processes in place,” Cox said.
Elsewhere on the program front, Cox said:
The CDM program has now has more than 80 percent of the Federal unclassified environment covered with CDM sensors. That’s paid off, Cox said, when critical vulnerabilities hit. Agencies have been able to use their CDM tools and sensors to quickly find vulnerabilities and quickly patch and remediate them, he said.
The program has “core dashboard infrastructure” in place with 23 CFO Act agencies – and a total of 59 agencies – where the reporting mechanisms are in place to feed data from agency dashboards to the Federal dashboard.
The program’s cloud-based shared services platform for smaller agencies now includes 52 percent of the non-CFO Act agencies, which number about 80 in total. The program is in the pre-deployment phase with another 19 percent of those agencies, and is working with the remainder to get them on the platform. Cox said the program’s recent award of the new CDM DEFEND task order for the non-CFO Act agencies will build on that progress.
The program has started to deploy its new dashboard in work “with a number agencies,” Cox said.
He continued, “We want to make sure that that the data that gets fed from the sensors up to the dashboard – both the agency and the Federal dashboard – is aligned well, so that when data is seen in the Federal dashboard that we know it aligns well with what is being seen down at that individual endpoint at the agency.
To further that goal, he said the program has been working for nine months on a data quality management certification process. He said the process has been finalized, and that the program office is working with agencies “to go through the criterial to make sure that the data they are seeing down at the sensor level is being properly reported in the agency dashboard and up through the Federal dashboard.” He added, “This is a process that once started, will continue through the life of the program.”
The data quality effort, Cox said, ties in with efforts to operationalize CDM data through the AWARE (Agency-Wide Adaptive Risk Enumeration) algorithm. “We are in the process of continuing to roll that out,” he said. Cox said that none of the AWARE scores “are fully turned on yet until we go through the data quality management certification process.”
“We want to make sure that the agencies are comfortable with their data being reported up before being fully operationalized through AWARE,” he said.
Finally, he said the program office plans to continue work with agencies including the Small Business Administration on pilots for cloud security, and working to bring on mobility management and align with agencies’ mobility enterprise system in order to bring mobile asset reporting into dashboards. “We have the approach fine and ready to go,” Cox said. “We’ll be working with the integrators and the agencies in Fiscal Year 2021 to get that started to be rolled out.”
Please visit CDM Central: Tales from the Frontlines for on-demand replays of today’s conference sessions. Then continue the conversation on July 15 at 1:30 p.m. EDT with MeriTalk’s CDM: The Next Chapter webinar that explores our recent survey of government and industry stakeholders to catalog progress and chart the path forward for the program.