CDM Program Plugs Gaps in Cyber Incident Reporting

Kevin Cox is the CDM program manager at the Department of Homeland Security.

The underreporting of cyber incidents is a chief issue across Federal agencies, according to Kevin Cox, Continuous Diagnostics and Mitigation program manager for the department of Homeland Security.

However, when the agency CDM dashboards launch in July, departments will be able to view their own cybersecurity issues in order to track their progress resolving them. Cox, who spoke at Tenable’s GovProtect17 conference June 21, said that the dashboard will provide a near real-time look at issues that need to be addressed.

“It’ll run a report across the government to see how posture looks,” Cox said. “Once you get an automated dashboard, you’re able to assign people to use that dashboard. They’re able to have better conversations about what’s actually happening.”

The agency dashboards will ultimately be joined by a Federal dashboard, which will be located at DHS’s National Cybersecurity and Communications Integration Center. The Federal dashboard will offer a portal through which all agency dashboards are visible. The dashboards will help agencies track activity over time and provide indicators of suspicious behavior on networks.

In the future, Cox said the upcoming phases of the CDM program have the potential to pick up if someone required to operate on a network from 9 a.m. to 5 p.m. during the week logs into the network at 3 a.m. on a Saturday. It is also possible that an agency will be able to detect if 5,000 of its assets suddenly drop off.

“Once we get dashboards in place, we’ll be able to monitor over time how agencies are utilizing these tools,” Cox said. “Not only can DHS put money against it for future work, but agencies will be able to buy products for future phases.”

The CDM program, mandated by the Office of Management and Budget in 2012, provides Federal agencies with tools to identify and address cyber threats. CDM is split into four phases. Phase 1 seeks to find what out devices are on a network. Phase 2 asks which persons are on a network. Phase 3 examines what information is getting in through a network. Phase 4 deals with data protection capabilities. Only Phases 1 and 2 are underway.

Phase 1 of CDM includes all 23 agencies held accountable to the Chief Financial Officers Act of 1990, which outlined financial management standards. Two contracts have come out of Phase 2. One is focused on strong authentication for administrative users, and is available to 56 agencies, including those under the CFO Act. The other is focused on agency network log-on, and is available to CFO Act agencies.

Detecting cyber threats is a priority among many Federal agencies, compounded by the spate of recent cyberattacks, such as the WannaCry breach in May that infected thousands of systems in more than 100 countries. Cox said agency leaders, even ones outside the 23 CFO Act agencies, are participating in the program more than ever.

“Agency leadership is seeing the outcomes of tools. We’re starting to see buy-in even more from the political side,” Cox said. “At the end of the day, leadership needs visibility on these assets and how well these assets are secured.”

Although there are four planned phases for CDM, Cox stated that the program may extend into the future. He and his team at DHS are working with President Donald Trump’s executive order on cybersecurity to develop a strategy for future years.

“There may be a future phase that helps us bring risk management models together,” Cox said. “CDM is just a piece of overall information security monitoring. We’re working with the executive order to do threat monitoring.”

Recent