The Continuous Diagnostics and Mitigation (CDM) program is making progress but has run into issues with the data that commercial capabilities report to its dashboards, making it difficult for the program to quickly pull insights from that data, said Judy Baltensperger, project manager for CDM program dashboard operations, today at MeriTalk’s CDM Central event.
Baltensperger explained that while program dashboards use the NIST National Vulnerability Database and its Common Platform Enumeration (CPE) format, cybersecurity solutions have not widely adopted the format, causing delays to the government-wide visibility that CDM is supposed to enable.
“We need industry to follow the standards, and the reason we need it is so that it makes it easier to normalize the data and match the data target … and become more efficient in that process,” she said.
The CDM program has conducted outreach to get industry to follow the standards of NIST’s CPE and Common Vulnerability Enumeration (CVE) formats, the DISA STIG (Security Technical Implementation Guides) for misconfigurations, and potentially the MITRE ATTACK methodology in the future for indicators of compromise, Baltensperger said.
She talked about one example of some of the challenges facing the program because of the varying data formats.
“If we know the manufacturer, product, and make and model of the software that has a potential vulnerability, and we want to go look for that vulnerability and find its prevalence across the .gov space – which is predominantly what we’re using the Federal Dashboard for – then we need the actual attributes,” she said. “What we’ve found is poor data quality because the data is not normalized, and it’s not normalized because the vendors that collect the CPE [Common Platform Enumeration] data are not all following the same format, and they often have a data dictionary that’s applied to each product,” she added.
Baltensperger also noted the importance of data integrity for the AWARE algorithm that CDM uses to support risk-based decisions, emphasizing that “you can’t have unknown blank nulls inside a required field to do that calculation.”
On the positive side, the CDM program currently has three dashboards in production environments at agencies and has received positive feedback, Baltensperger said. She also said there is interest in approaching the dashboard as a managed service, that the Federal dashboard is successfully integrating open-source threat intelligence, and that the program is incorporating feedback on user experience, with the potential for agencies to customize the layout of their individual dashboards.
For more on CDM challenges and opportunities, check out MeriTalk’s study on defending high-value assets, and for a look at how the program’s secret sauce is prepared, please enjoy the accompanying CDM Central video.