The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program aimed at helping Federal agencies fundamentally improve network security is moving ahead in a number of significant, future-leaning areas at the program level to advance its broad cybersecurity mission.
And where the rubber hits the road at the Federal agency level, progress on CDM implementation is also heading in the right direction. Recent checks show that the pace of agency progress remains dependent on a number of factors including agency size, mission complexity, state of IT modernization, and the all-important funding realm.
The bottom-line takeaway: Parties on both sides of the equation are trying hard and spending big money to implement an enormous bottom-up network security refresh across the civilian Federal government. The most valuable fruit of that labor – on both the DHS and civilian agency sides – will begin to be realized when agencies work their way through the first two of four key CDM capability areas. Click here for a nuts-and-bolts primer on the program.
To-Do List Toppers
The CDM Program Office headed by Kevin Cox has a broad mandate and sizeable budget to promote CDM adoption across 23 CFO Act agencies – the largest civilian agencies in the Federal government – plus approaching 100 smaller and “micro” agencies.
At public events over the past few months, Cox has laid out an ambitious list of near-term work for the program office. Of the two most pressing priorities he recently identified for FY2019 and beyond, one took a big step forward in late May, but the other will take longer to accomplish.
On the first front, DHS announced that its Cybersecurity and Infrastructure Security Agency (CISA) inked a six-year, $276 million contract with ECS Federal to develop a new CDM dashboard ecosystem for continuous monitoring and integration of cyber threat information data.
Cox has said for months that the new dashboard ecosystem is needed to better handle the burgeoning stream of data arising from network sensors. That data is distributed up to individual agency dashboards, then to a unified Federal dashboard and to CISA’s NCCIC (National Cybersecurity and Communications Integration Center) operation, and back down the stack.
As more agencies have deployed CDM deeper into their networks, the existing dashboard infrastructure has become unwieldy for some, especially agencies with a number of component organizations. Making sure that data flows more effectively through the entire dashboard ecosystem is one of the program office’s top priorities. Cox estimated last month that the new dashboard might take “a few years to get everything in place,” but emphasized, “at the end of the day it’s about data … If the data is good you can do a lot of things.”
The second major priority is also going to take a while to work through, but the payoff in better security justifies the effort. Often referred to in shorthand among CDM professionals simply as “gap filling,” that term refers to the all-important task of getting all agencies to close the circle on the first two of the four CDM capabilities.
At the Agencies
On the front lines in the agencies, completion of the first two CDM capabilities continues to consume considerable effort and resources.
For larger agencies with numerous component organizations and networks, the sheer complexity of the effort is evident. For most agencies, if not all, funding to sustain investments in CDM tools over the long term competes as ever with other priorities. And the uneven march of IT modernization efforts means that networks and architectures are in rapid motion even as CIOs try to affix better security tools to them.
Two Federal agency officials last month offered revealing, real-life looks at how implementation has gone in their organizations.
NASA Zooms Through Deployment
Willie Crenshaw Jr., Program Executive for CDM and Risk Management in NASA’s CIO office, said his agency has “pretty much deployed” the first two CDM capabilities across all networks in its far-flung operations that serve 17,200 agency employees. He reported a 95 percent deployment rate for the first capability, and 98 percent for the second, and characterized the entire effort as rolling out “really quickly … much to our surprise.”
He said CDM “has really helped us” identify network assets, and that NASA’s next step was to utilize the program’s DEFEND contract process to drive security improvements now that the first two program capabilities have been achieved. He said the agency has gained better situational awareness of its network, “and now we can focus more on the threats.” He added, “We are in a better posture to be more agile.”
Crenshaw offered several pieces of advice to other agency CIO offices looking to make similar progress: “get everyone involved” in the effort, including through in-agency “road show” events at different facility locations; and secure top management support for CDM. Top-tier support at NASA has made the program “THE priority at the agency for doing cybersecurity,” he said.
“We didn’t want to look at DHS as Big Brother, we wanted to work with them,” Crenshaw said. “If you do it right, it’s a great thing … It’s a game changer.”
HHS Grapples with Complex Structure
In a separate presentation, Bernard Asare, CDM Program Manager in the HHS CIO office, detailed the more deliberate pace of CDM implementation progress at a much larger agency. That higher degree of complexity stems largely from numerous agency component parts, which makes for a longer march to attain the CDM program’s first and second capabilities.
Asare called HHS “the largest, most complex federal agency,” and offered figures that reveal a daunting degree of operational complexity across the agency. Those include an overall employee headcount of 80,000, and on the tech side no less than 12 CIOs, 12 CISOs, eight tailored CDM solutions, more than 40 CDM tool deployments, and three agency dashboards.
HHS has accomplished 85 percent sensor deployment for CDM’s first capability, Asare said, which leaves a long way to go to attaining first and second capability completion. “We are not ever done,” the HHS official quipped.
On the plus side, however, the current level of CDM deployment has cut HHS’s count of “shadow IT” assets by 23 percent, and has greatly illuminated network assets. “We found systems we knew were ours but we never knew were on our network … We’re still working on that,” he said.
As for timing of future CDM deployment, Asare said HHS has “a five-year window … But I already know we won’t do it.” And he said publicly what other agency officials are more likely to discuss in private: CDM deployment is expensive. While DHS provides an initial level of funding for agencies to undertake deployment, the agencies themselves remain on the hook for substantial continuing costs. Thus, they have to navigate their own budget processes – which already feature a lot of hungry mouths to feed, including modernization efforts – to locate that money.
Among HHS’s most important CDM priorities going forward:
- Developing a “single pane of glass” for a federated agency dashboard that provides more visibility into the agency’s cybersecurity posture;
- Boosting agency FISMA compliance through HHS’s CDM investments; and
- Developing strategy for applying CDM principles to cloud services.
Back at the CDM Program Office
While Cox has flagged ongoing gap-filling efforts, and the new dashboard contract, as his two largest priorities for FY 2019, the CDM PMO is working on a much longer list of big initiatives to advance the mission, not just for the near term but also for far down the road.
By no means an exhaustive list, but chief among them:
- Operationalize the AWARE algorithm that will provide cybersecurity ratings data for agencies implementing CDM, along with guidance on how to improve scores. The effort is expected to begin with a “soft launch” in October. Cox said his office will work hard “to help agencies get comfortable with their AWARE score,” and that the system will feature visualization “so agencies can quickly see the value of the data.” He said version 1.0 of AWARE will be focused on “how well [agencies] are patching, and how well they are configuring.” Version 2.0 will illuminate multifactor authentication, and subsequent versions will help agencies better understand risks across their environment, he said.
- Promote CDM DEFEND contracts that have succeeded the older Blanket Purchase Agreements as the preferred contracting vehicle for agencies pursuing CDM implementation. Among other advantages, DEFEND: supports all four program capabilities; supports cloud and mobile cybersecurity and “more robust boundary protection efforts aligned” with IT modernization efforts; and carries 5-6 year contract terms that in theory can see agencies through the entire process of CDM implementation.
- Bring small and “micro” agencies on board through a cloud-based CDM shared services platform that gives each agency its own dashboard in a common environment. As of this spring, about 20 agencies were using the platform, and another 38 were dealing with paperwork in preparation to joining. “This is really turning into a success for us,” Cox said earlier this year.
- Continue integrating findings of .govCar – a threat-based security process that assesses cybersecurity performance and architecture choices – into CDM to improve agencies’ threat-based risk decisions.
Given that FY2019 ends in less than three months, count on those priorities to roll over into FY2020.
For FY2020 and beyond, Cox flagged further DEFEND capability rollouts, including discovery of the cloud/mobility network border, as a high priority. And he said his office will work on supporting agencies in formulating “comprehensive cybersecurity architecture.”
Follow the Money
Clearly, the CDM Program Office is driving the program forward with energy, commitment, and a vision for future priorities and capabilities. Those portend better security for Federal agencies even as they tackle the first two program capabilities, and even more so after they have laid that necessary groundwork to enjoy the fruit of the third and fourth capabilities.
On the agency side, all of the available evidence points to the same level of hard work by CIOs to tackle implementation of the initial CDM capabilities. A few have made it to the half-way mark and beyond, but it’s likely that most haven’t gotten there yet, and are scattered along the trail as they deal with real-world issues of size, complexity, and competing priorities for funding.
The exact position of each agency remains mostly opaque in an official sense, although the issue of gap-filling remains a staple of coffee-talk at government and industry gatherings. As with tracking progress of other programs in Washington, the best advice may still be to the follow the money in order to find out what’s going on.
Individual agency budget documents don’t often feature CDM line items, but preliminary FY2020 budgets prepared by the White House and the House Appropriations Committee open a window to program funding for the coming year. The House committee budget proposal features $156 million for the CDM program – significantly higher than the White House’s own request.
In a separate document elaborating on the administration’s funding request for DHS for FY2020, CDM program funding is proposed at $137 million, up from $125 million in FY2019. The biggest category items within that figure are for:
- Asset Management (CDM capability no. 1) at $43.3 million;
- Data Protection Management (CDM capability no. 4) at $42.6 million;
- Network Security Management (CDM capability no. 3) at $32.6 million;
- CDM Dashboard at $11.1 million; and
- Program, planning, and operations at $7.6 million.
Within those figures – and individual agency budgets that are as yet unclear – is the muscle to finish the gap filling so that the greater fruits of the CDM program can be realized. Precise timing and funding remains uncertain, but the determination to get the job done is clear.
