CDM Must Adapt to Keep Pace With Cybercriminals

CDM: The Next Chapter

As the Federal government has shifted to telework, the security of its cloud and mobile environments has grown even more critical. Concerningly, the majority of Federal stakeholders believe the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program isn’t able to keep pace with cyber threats, a new report from MeriTalk found.

In the report, CDM: The Next Chapter, the vast majority of respondents (68 percent) told MeriTalk that while they believe the CDM program is making progress, it isn’t adapting fast enough to protect growing cloud and mobile environments – both of which are essential for the Federal government’s ability to telework at scale in the COVID-19 era.

CDM Central is going virtual for the June 2020 Conference Learn More

Since the CDM program’s creation in 2012, Federal agencies have made significant cybersecurity improvements, with the majority of respondents saying agencies are integrating CDM as part of their overall cyber strategies, rather than as a stand-alone initiative. When asked to grade their agencies’ adoption of CDM, 81 percent of respondents gave their agency a passing grade.

However, cybercriminals aren’t accepting defeat – they’re looking for new avenues of attack. The research found that 90 percent of Federal stakeholders believe that adversaries are out-pacing agencies’ best efforts to harden their cybersecurity defenses.

With the need to stay ahead of cybercriminals, Federal stakeholders are looking to how CDM needs to evolve. Cloud and mobile security are top of mind for stakeholders, with 90 percent saying agency visibility for cloud and mobile devices must be as good as or better than visibility for on-prem systems. However, only half are taking steps to apply CDM principles to those areas.

On the topic of cybersecurity, respondents said CDM needs to integrate with other cybersecurity initiatives – 82 percent said Trusted Internet Connections (TIC) 3.0 will support CDM progress.

In addition to cloud and mobile device security, respondents also rated automation, zero trust, and managed security services as key to CDM’s long-term success. However, despite viewing automation as essential, agencies estimate that just 45 percent of their current CDM processes are automated.

Nearly half of Federal respondents (48 percent) said that CDM needs to encourage consolidation and the use of shared services and that the program needs to help clarify the division of security responsibilities between agencies and cloud providers.

With nearly every agency moving to maximum telework, the importance of securing the cloud and mobile environments cannot be overstated. The CDM program has helped agencies make significant progress in hardening their cyber defenses; however, it is time for the program to evolve faster to meet the everchanging threat landscape. To that end, MeriTalk offered up a handful of recommendations:

  • DHS and other agencies need to increase guidance and expand existing CDM principles to address modern infrastructure and devices.
  • There needs to be a collaborative effort from DHS, Federal agencies, and the private sector to develop best practices for cloud and automation solutions. The Federal government and its private sector partners need to leverage the “agility of cloud, the efficiency of automation, and the effectiveness of zero trust.”
  • With an eye towards integrating CDM with other cyber initiatives like TIC 3.0, DHS needs to work with other agencies to streamline cyber requirements and promote shared services.
Kate Polit
About Kate Polit
Kate Polit is MeriTalk's Assistant Copy & Production Editor covering the intersection of government and technology.

Categories

Recent