While the Cybersecurity Sprint focused attention on how to generate improvements quickly, one of our most important cyber efforts – the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program – is unquestionably a marathon. Now in its fourth year, the program is maturing agencies’ abilities to identify cyber risks and adopt a risk-based approached to mitigation.
The program is entering Phase 3, but agency progress has been staggered. Every agency started from a different point of cybersecurity maturity, so this is not surprising.
Phase 1 involved mapping networks to determine what they would need to improve threat protection; Phase 2 on identifying who has access to the network and how you handle access management. Up next, Phase 3 focuses on boundary protection and incident response.
What was initially surprising was the degree to which agencies discovered during Phase 1 that they were underreporting device numbers. James Quinn, lead systems engineer on the CDM Program at DHS, said that DHS estimated federal agencies would map approximately two million assets, but agencies ended up finding approximately four million.
We have to anticipate this challenge will continue to grow with the Internet of Things (IoT). Every internet-connected device is a potential vulnerability, so improving asset management and establishing a secure supply chain are critical to securing federal systems and information.
When we think about supply chain risk management, we think about our devices and the systems and software we use to protect them. The CDM Project Management Office (PMO) requires vendors submitting products for the CDM Approved Product List (APL) to provide details on their supply chain risk management policies. See more: CDM Supply Chain Risk Management plan.
RSA Archer, a Dell Technologies company, serves as the platform for the agency and federal dashboards. At the agency level, the dashboard captures data locally from network sensors, scores the data, and shows “worst problems first” for operators – i.e. enables a risk-based approach. Agencies are in the process of deploying their dashboards, and the federal dashboard is scheduled to deploy this year.
As agencies and the CDM Project Management Office move forward, they will be tackling ongoing challenges including the need for acquisition flexibility, how to speed the acquisition process, how to integrate FedRAMP, and what’s next for Trusted Internet Connections (TIC).
That’s an already tall order that will continue to grow – and we do win or lose together in this race.