The CDM Interviews: PMO Bringing Security for Agencies of All Sizes – PART 1

Kevin Cox CDM Program Manager Continuous Diagnostics and Mitigation Program DEFEND

Kevin Cox is the CDM program manager at the Department of Homeland Security.

MeriTalk sat down in June with Kevin Cox, Program Manager for the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program, to get the latest on program priorities for the coming months and beyond.

It’s well known that the program has a lot of moving parts, and full implementation by Federal agencies is a process measured over several years. But one overriding theme emerges: improving network security has everything to do with generating quicker and more useful data flows from network infrastructure, up through the management chain for rapid analysis, and then back down the line so that insight can be put into action. That’s the essence of the CDM program.

Cox discussed a range of program activities, but none more important than making those data flows ever more useful to improve security for Federal agencies both large and small. (For a CDM program primer, take a look here, then click here for a wider discussion of recent program activities.)

MeriTalk: Kevin, can you tell us about the CDM shared service platform for smaller agencies, the ones beyond the 24 Chief Financial Officers (CFO) Act agencies?

Cox: Sure. The shared service platform is shaping up into a real success for the program. What it’s allowing us to do is to work with those small and micro agencies – or what are sometimes referred to as the non-CFO Act agencies – to make sure that they too, in addition to the larger cabinet-level agencies, have access to the same cybersecurity tools.

They have very important missions, and many of them have high value assets as well, so we want to make sure we’re giving them the cybersecurity tools like we are for all other agencies. We want to make sure that we’re providing them the visibility of their cybersecurity posture, and we want to make sure that we’re providing federal leadership with visibility too.

So what we’ve done is essentially followed the CDM model – we deploy sensors out to their environment to help understand what their asset management footprint is, who their users are, including their privileged users, and bring that data from the sensors up to a dashboard.

Rather than deploy an individual dashboard for each of the small and micro agencies, we set up the shared service platform, which is a multi-tenant system that allows each agency to have their own dashboard, but it’s all within one single system. And similar to the model with feeding the summary data up to the federal dashboard, the shared service platform interfaces with the federal dashboard to provide visibility into the security posture for these agencies.

Today, we have 22 of the small and micro agencies reporting with the shared service platform. We continue to onboard new agencies each month and will continue to do so through the remaining part of the calendar year. And we want to ensure that at the end of the day, we’re bringing visibility for all the small and micro agencies up to each of their cybersecurity teams and leadership. And to ensure that federal leadership has the summary-level visibility in terms of who these agencies are, and how well their important missions are protected.

MeriTalk: Beyond the 22 small and micro agencies already on board, how many more are you looking to sign up, and how do smaller agencies go about taking that first step?

Cox: The number we typically work with is around 75, plus or minus a few as they come online, and depending on new legislation, etc.

What we have going to this point is working to get memorandums of agreement in place with each of those agencies. Once those memorandums of agreement are in place, we then work to get the solution set deployed. We have a number of agencies that we already have memorandums of agreements (MOA) with (approximately 50) and we’re already working with them. Those are the agencies that over the next few months we’ll work to get on board.  There’s still a handful of agencies that we still need to get MOAs in place with to establish all the proper agreements and get them onboarded as well.

MeriTalk: If I was at a smaller or micro agency, I would really welcome you coming in, because my IT staff and resources wouldn’t be very big. Do you get a pretty good reception when you call?

Cox: Yeah, I think it’s similar to what we saw with the larger agencies as well. I think those small and micro agencies that had their own solutions in place and have a fairly robust cyber program, they want to make sure that our program is not coming in to rip and replace. So that’s one of the things that we’ve really been sensitive to, to work with each of these agencies to see what their environment looks like, what solutions they already have in place, where we can help complement their current solution, and where we can meet our requirements without going into a complete re-architecture of their cybersecurity environment. So with that approach, I think that’s really helped build the relationships with these agencies.

We’ve also – once we have gotten the tools deployed – we’ve been working with our system integrator to make sure that any issues that are identified and challenges that are identified, that we can quickly work with the agencies to respond to those and address those in the most appropriate way.

And then as the agencies onboard to the shared service platform, we’ve taken a lot of feedback from the agencies in terms of what works well, and what doesn’t. And we’ve been working with our system integrator to make adjustments so that the smaller and micro agencies have access to different views and reports, they have more access to some of their data reporting, etc.

We’re working to be really responsive to these agencies and make sure that the overall solution being provided is a really strong solution. And that’s really helped build the trust and build the relationship with the agencies.

MeriTalk: If we can switch gears for a moment to more far-flung, but no less important security constituencies. We are seeing some state and local governments taking turns toward CDM. Although they are obviously not under the Federal umbrella, can the CDM Program Office do anything to give them a hand?

Cox: Our funding is all focused on the federal level. But we have learned that  some cities and counties are looking to set up similar programs for all their different organizations and offices.

We have worked to make our program information available to the states and localities, tribes and territories (SLTTs). We recently had a conversation with state CIO organizations to talk about our overall program, and what our aims are. And then also to make the offer that we are happy to share our program requirements and architecture with them as they’re looking to set up similar programs at the state level.

One other thing that I would mention is that our approved product list is available through IT Schedule 70 on the CDM Special Item Number. Those tools on that approved product list  are available to the states to make procurements, and so that is available as well, and not only to the states, but to the full SLTT.

Categories

Recent