While the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program has been successful in driving security deeper into Federal networks, an agency program manager warned this week that without funding for agency IT departments, much of CDM’s progress could be set back.
“If we don’t have an influx of funding at the agency level, then what’s going to happen is CDM is going to be this success story, but then it’s going to fizz out because we won’t be able to maintain it,” said Willie Crenshaw, CDM program executive at the National Aeronautics and Space Administration (NASA), at the Forcepoint Cybersecurity Leadership Forum on April 4.
Crenshaw said that NASA has seen success as an early adopter of the CDM program, and has fully implemented Phase 1 and Phase 2 of CDM, but he still worries about the agency backsliding.
“DHS gets some funding, but we, as an agency, need the funding to maintain it. What keeps you up at night with CDM is that ongoing cost of the refreshes three, four, five, six, seven years down the line,” he added.
In a similar manner, Kevin Cox, CDM program manager at DHS, noted that the program office is looking towards the future of the program and facing a choice.
“It’s a question of, will the CDM program become this wider sense of getting full cybersecurity solutions in place across all these different capability areas, or will we be more targeted on high-value assets, specific environments, and etcetera? That one’s still being determined.”
For FY2019, Cox noted that the program management office is working to address agency gaps in asset management, fully operationalizing the Federal CDM Dashboard with the National Cybersecurity and Communications Integration Center, evaluating security postures through the AWARE algorithm, and expects a new CDM Dashboard contract soon. However, the program is also piloting a strategy for the future.
“What we’re looking at now is … funding different engagements at the agencies with specific technologies and processes to help the agency, but also to take the information as lessons learned and be able to show that if funded more, we can do this across all the agencies,” he said.
Cox and Crenshaw also touched on the successes of CDM. Crenshaw noted that CDM implementation had gone much faster than expected at NASA, and had “built trust” between the CIO’s office and the components. Cox pointed to the adjustments made to the program to adapt to lessons learned, and noted that the dashboard will include tools and analytics that were never in the original plan, but were added after agency feedback. Both highlighted the flexibility of the CDM DEFEND contract, and how it supports parallel task orders over multiple years.