Though officials working on the Continuous Diagnostics and Mitigation (CDM) program have been aware of the importance of cloud from the beginning, Phase 3 of the program will shift to include cloud concerns, according to Kevin Cox, CDM program manager at the Department of Homeland Security.
“We recognized at the time that cloud was coming down the path,” said Cox, who spoke at the Billington CyberSecurity Summit last week. “So now, as we move into Phase 3, which is about understanding what is happening on the network what events are happening, we have shifted to be able to start to tap the cloud more, tap mobile more.”
The White House American Technology Council’s (ATC) draft IT modernization report released in August places the imperative of including cloud in the future of CDM, but Cox said that he and his people don’t expect any added work that they haven’t already anticipated.
“We’ve been working with our CTO’s office to identify how we do cloud visibility, and it’s not necessarily the way we do on-prem visibility,” said Cox. “We’re not necessarily going to be putting a security agent out on every [virtual machine] in the cloud. We’re really going to be focusing on the interface of the user with the data, and making sure that the agencies have visibility into that.”
According to Cox and other officials, Phase 3 will introduce the CDM Defend program, which will add increased flexibility for agencies participating.
Cox said that the current CDM program relies on a series of Blanket Purchasing Agreements (BPA) that expire in 2018. Those BPAs are more short term and inflexible than the CDM program seeks to be entering into Phase 3 and CDM Defend.
“The biggest change that you’re going to see from the baseline of CDM to the CDM Defend program is, as Kevin said, the blanket purchasing agreement is expiring next year,” said Jim Piche, homeland sector director of FEDSIM at the Department of Homeland Security. “So we executed Phase 1 and Phase 2 of the CDM effort under the blanket purchase agreement, but it’s not a sustainable approach. We’re also expanding the CDM capability to include CDM cloud assets and mobile assets, which is a completely new approach to how CDM has been executing what’s available under the BPA.”
“As we head into the CDM defense task orders,” said Cox, “we wanted to build that flexibility in so that we have these longer task orders, we can space out the deployment times a little longer, and work very closely with the agencies to really set the timelines properly so that they can be successful in their deployments.”
According to Robert Allegar, vice president of the cyber futures group at Booz Allen Hamilton, that flexibility is important in addressing the different needs each agency has.
“Having worked with the agencies and the program over the last few years, cyber is one of the few exceptions, one of the only mission spaces, where the outcome is pretty clear–you want to better protect your network, reduce your attack surface, and not get hacked–but how you get there has to vary depending on the agency environment,” said Allegar. “What you need to do is look at the end state, at the outcome and say ‘OK we want to reduce risk and reduce our attack surface, but we want to have a very tailored and flexible approach to get there.’ And the behavior of Continuous Diagnostics and Mitigation isn’t the end state. It’s not a redundant CDM, it’s a change in which the agencies have to behave differently. That’s a huge mind-set shift.”