Richard Grabowski, acting program manager for the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program, explained at a November 4 event organized by FCW that new memoranda of understanding (MOA) that the program has been signing with Federal agencies are a key component to enabling better cyber threat hunting by CISA across agency networks.
Recapping some of his presentation at MeriTalk’s Cyber Central: Defenders Unite virtual conference on October 28, Grabowski said that the new MOAs stem from requirements in the Biden administration’s Cybersecurity Executive Order for Federal agencies to share object-level network data with the CDM program – rather than the summary-level data that was shared under the previous generation of agreements with agencies.
Getting access to that far richer object-level data stream is key to boosting CISA’s ability to tackle its cyber threat hunting mission, Grabowski said.
Digging into MOAs
The Cyber EO gave Federal agencies 75 days to sign new MOAs with the CDM program, and Grabowski said that the program signed new MOAs with all of the CFO Act agencies, and most of the smaller Federal agencies, in less than 90 days. It took the program three years to sign up as many agencies under the previous version of the MOA, he said.
“For those that aren’t familiar with what the MOAs are, it’s kind of the established agreements that provide the foundational governance between us and agencies and how we participate in a partnership model,” he said.
“There are things in there that govern what CISA can do, what agencies can do, [and] what the expectations are for both those parties,” including agencies providing network and data access and how CISA provides tooling and dashboard technologies, Grabowski said.
“It really kind of sets the stage for the shared responsibility model that we’re calling it between agencies and CISA, that partnership,” he said.
The result of the MOAs, is “this is not just CDM kicking the door down and saying this is what you’re going to do, and going away. It’s more working with you … listening to you, trying to work around what our framework is, which is a little bit more on the flexible side, and trying to listen to the needs and trying to come to some consensus of how to execute for mutual benefits across both parties.”
“It’s not to say that everyone gets what they want,” Grabowski said. “At the end of the day, there has to be kind of a negotiation there. But it’s really an open conversation in the full light of ‘this as a partnership’ … and we need to operationalize a lot of the capabilities that we do provide to them.”
The ability to sign up the vast majority of agencies so quickly under the new MOAs, he said – including signing up 90 agencies in 90 days – shows “how incredibly powerful the EO was” and “the incredible amount of trust that we appreciate from the agencies that they provide to us in signing those MOAs.”
The MOAs, Grabowski said, “are fairly broad, I would say, because there’s a lot of things that we need to do collectively to protect us against the threats. There’s a lot of trust entrusted to us by the agencies that I’m incredibly appreciative of.”
“The two major things that you’ll see in these new MOAs’ doctrine is about CISA tool access [and] object-level data – both are incredibly important to execute,” he said.
The goal of achieving better threat-hunting ability, he said, simply can’t be accomplished by using summary-level data from agencies. “The program has been operating under the constraint of summary data for quite a while. It’s very typical from a CISA perspective to hunt on summary data,” he said, adding that the new MOAs will “establish a much more active hunting capability in partnership with agencies on object-level data.”
“That was a big win for us over the summer, and those conversations are still ongoing,” he said.