SBA Approach to CDM Challenging Status Quo

SBA CTO Sanjay Gupta

The Small Business Administration’s (SBA) Deputy CIO Guy Cavallo and CTO Sanjay Gupta said today at the FCW Cybersecurity Summit that their agency’s unorthodox approach to the Continuous Diagnostics and Mitigation (CDM) Program is yielding a ton of practical benefits, even though it required a bit of a departure from CDM’s initial guidelines.

Now, SBA is providing a new potential model for other agencies – many struggling with the first of CDM’s four phases – to use when considering how to achieve the outcomes the program intends.

“This was not the first time we challenged the status quo, and it probably won’t be the last time as well,” said Gupta.

When the initial guidelines came out for Phase 1, according to Cavallo, the Department of Homeland Security (DHS), which runs CDM, was pushing for changes to SBA’s on-prem infrastructure in order to implement CDM. “We estimated it would cost us about $400,000 in hardware to do it, and we decided we’d rather take the $400k and invest it in the cloud,” Cavallo said.

“We decided that we could have the same or better outcome with a cloud-based approach and not necessarily guided by the prescriptive requirements or the toolsets, because we were focused on the outcomes, and that’s how we approached the problem,” Gupta said.

He said that they looked to see if they could meet the requirements in a more cost-efficient way. Cavallo, discussing the required processing power needed to implement the solution, said that in the cloud, “We found that we needed a fraction of what the on-premise hardware needed.”

SBA, to their knowledge, is still the only agency to implement Phase 1 in the cloud thus far.

The agency’s hope is to change the conversation with the Office of Management and Budget and DHS regarding potential wiggle room in CDM implementation. Differing modes of execution, the agency representatives argued, do not diminish the program’s goals or mission.

“You still have to meet the objectives,” Gupta clarified. “We’re trying to understand: what is it we’re trying to achieve, why are we doing it, as opposed to following guidance” as a simple box-checking exercise. “Maybe we’ve lost the intent of what we’re trying to do.”

Gupta said that SBA has now played host to more than 30 agencies as it provides demonstrations on the CDM active monitoring capabilities that agency has in its cloud environment.

A CDM official on hand at today’s event expressed a need to clarify the distinction between policy and procurement mechanisms. He said that initial restrictions on cloud and mobile in the early CDM acquisition vehicles came intentionally, because the program’s initial intention was to rectify on-prem issues.

The official commended SBA’s efforts, saying the agency “captured the heart” of the program’s objective-based intent. He added that the program “became much less restrictive” with its new CDM DEFEND task orders, including an improved, wider product list as a result. “We learned our lesson,” he said.

Recent