The Cybersecurity and Infrastructure Security Agency (CISA) said the agency is surpassing its own target for the rate at which Federal agencies are using automated Continuous Diagnostics and Mitigation (CDM) program reporting.
The CDM program provides Federal agencies with tools to monitor vulnerabilities and threats in their IT systems in near real-time. The program also provides agencies with a dashboard for tracking IT data, while also feeding agencies into a Federal Dashboard that gives CISA and the Office of Management and Budget (OMB) visibility across agency networks.
In a second quarter 2023 goals update posted to OMB’s Performance.gov website, CISA stated that its goal for Sept. 30 is to have 50 percent of Federal agencies meet the “the end of year Binding Operational Directive-22-01 [Known Exploited Vulnerabilities] requirement for leveraging automated Continuous Diagnostics and Mitigation reporting.”
As of June 2023, CISA said in the update, that rate for agencies using automated CDM reporting stood at 55 percent.
According to the data on Performance.gov, the rate at which agencies are using CDM program reporting feeds into the larger CISA goal of achieving “measurable progress toward enhancing operational visibility within the Federal Civilian Executive Branches by improving asset discovery and vulnerability enumeration.”
CISA offered up additional data points in its second quarter report that point to success, including:
- A decrease to 40 percent – from 51 percent in the first quarter of this year – in the percent of Federal civilian executive branch agency Domain Name System egress traffic that was bypassing CISA’s Domain Name System filtering capabilities;
- An increase to 81 percent – from 74 percent in the first quarter – of analytic capabilities transitioned to the Cloud Analytic Environment;
- An increase to 92 percent – from 85 percent in the first quarter – of agencies that have published a vulnerability disclosure policy that covers all agency internet accessible systems and services;
- An increase to 94 percent – from 93 percent in the first quarter – of agencies that have developed internal vulnerability management and patching procedures by the specified timeline; and
- An increase to 61 percent – from 59 percent in the first quarter – of endpoints from Federal agencies covered by Endpoint Detection and Response solutions that are deployed by the CDM program.
Discussing its primary goal of boosting the rate at which Federal agencies are using automated CDM program reporting, and problems to be solved on the path to reaching it, CISA listed out the following problems:
- Network visibility limitations due to encryption and cloud computing;
- Constantly evolving threat landscape and rapid pace of change in the cyber domain compared to the pace of Federal government policy generation and implementation;
- The Federal Enterprise was not designed to be defended or managed as a single organization, and many Federal agency networks are indefensible in part because they are decentralized. This decentralization creates obstacles for effective governance and for standardization of tools and services;
- Outdated and legacy technology poses risk of increased vulnerabilities associated with weak authentication exposure and unpatched software; and
- Technology investments are often not aligned with operational priorities for cyber defense.
In describing “what success looks like” in progressing toward its goal, CISA listed out:
- Ramp up use of CISA-approved standardized tools and shared services to make Federal networks more defensible and secure;
- Agencies can identify threats and vulnerabilities and report on them using the Vulnerability Disclosure Program in advance of network disruptions; and
- CISA can identify cross-agency threats and vulnerabilities at the Federal Enterprise Level to provide a holistic view of the cyber threat, including access to host-level data and integration of data sources from across CISA’s cyber programs.