Survey Charts Strong End-User Interest in CDM Phase 3

(Image: Government Matters)

Survey results discussed during a June 14 Digital Government Institute webinar seem to bode well for end-user reception of deployment of Continuous Diagnostics and Mitigation (CDM) Phase 3 technology by the Department of Homeland Security, which is charged with improving the security of Federal civilian networks.

According to a Market Connections survey of Federal civilian government agency IT decision makers involved with network security issues, 67 percent of respondents moderately or strongly agree that CDM Phase 3 is structured to favor innovation or improvements over previous phases, and 64 percent are somewhat or very interested in using Phase 3 to change or augment legacy systems.

Here is a rundown of how the webinar tracked.

Four Phases of CDM

CDM is made up of four phases: Phase I is “What is on the Network,” Phase 2 is “Who is on the Network,” Phase 3 is “What is Happening on the Network,” and Phase 4 is “How is Data Protected?”  DHS’s Phase 1 and Phase 2 programs are largely completed and attention is shifting to the program’s third phase. During Fiscal 2018, CDM’s Phase 3 priorities for all agencies include ongoing assessment, incident response assessment, mobile security and Phase 1 gap fill. There are also additional priorities for agencies that include cloud security, network control, and certificate management.

Phase 3 Focus

Phase 3 is focused on agencies knowing what data is on their networks, who’s accessing the data, and how to protect the data.

“We’re starting to move past the on-premise network, out to the network’s boundary, out to the perimeter…as the perimeter starts to fade as more and more agencies start to utilize cloud services and putting data out in the cloud or in external data centers, we want to get agencies visibility to wherever that data is,” Kevin Cox, CDM program manager, DHS, said during the webinar.

CDM Phase 3 also is focused on transforming the way agencies manage the Federal Information Security Management Act (FISMA) process.  “Agencies had been doing a lot of the FISMA reporting manually, so we’re starting to get automated reporting built into that process,” Cox said. More importantly, he added, DHS is looking to help agencies get ongoing authorizations in place so as they authorize their critical systems, they can continue to monitor the status of the systems.

As agencies move into Phase 3, DHS has also changed the acquisition process. While DHS and its partner the General Services Administration (GSA) originally had a Blanket Purchase Agreement (BPA), it has moved to a two-pronged acquisition strategy that was designed to replace the BPA. The first prong is approved products being added to the DHS product list by a Special Item Number on the IT Schedule 70 through GSA. These approved products will then be available to the task orders in the second prong, in which DHS and GSA are working to award orders off the Alliant Government Wide Acquisition Contract. The overall acquisition process is being labeled as the Dynamic and Evolving Federal Enterprise Network Defense (DEFEND).

Ralph Kahn, vice president-Federal, Tanium, spoke about the issues facing agencies as they prepare to move to Phase 3. He said adversaries are taking advantage of agencies’ slow and complex patchwork of compliance and detection/mitigation tools and pointed out that state-of-the-art compliance and detection and mitigation is changing rapidly. “Cyber moves very fast, so if you look at where state of the art compliance, detection and mitigation were even two years ago, or worse than that five years ago, they have changed exponentially,” said Kahn.

Kahn said CDM Phase 3 is an important solution to agencies’ security problems. “I think DEFEND is going to significantly increase the capability of civilian agencies to spot, contain and control outbreaks. I think what we would ideally see, a year from now, is a shoring up of Phase 1 and Phase 2 and significantly enhancing the capability towards industry standards like continuous compliance,” he said.

Recent