New Continuous Diagnostics and Mitigation (CDM) DEFEND task orders will allow the Department of Homeland Security to be “more surgical” and “more precise” about how it helps agencies get cybersecurity capabilities, particularly for CDM’s newly-expanded category of mobile devices, CDM Program Manager Kevin Cox said Thursday at an event organized by ATARC.
In particular, Cox explained that the request for service (RFS) process–which essentially allows agencies to bolt on additional CDM requirements to DEFEND task orders–is enabling agencies to tackle emerging needs in the mobile space.
“What we do is work with the agencies and industry partners to write requests for service,” Cox said at a MeriTalk event back in May. “We could do a request for service for cloud security, mobile security, for ongoing authorization. That’s what gives us the flexibility over time.”
DHS is working to get agency mobility monitoring on an even keel with the on-prem CDM capabilities, Cox explained Thursday.
“The RFS process will allow us to do discovery in the agency, but then also do implementation, and help get, ultimately, parity on the mobile side similar to what we’re doing on the traditional on-prem endpoint side,” he said.
DHS has awarded all five of the DEFEND task orders, covering the 23 Federal civilian CFO Act Agencies in the program, with the most recent confirmed by Booz Allen Hamilton on Aug. 21.
Cox added Thursday that the potential $668 million Group E task order, awarded to ManTech International but currently under protest, will likely be settled by October.
Under RFS mechanisms in Group C of CDM DEFEND–which covers the Departments of Commerce, Justice, Labor, State, and the U.S. Agency for International Development–DHS is preparing for an expansion in mobile discovery and better overall mobile enterprise management.
“The RFS associated with Group C is essentially cloud discovery, mobile discovery, boundary discovery,” Cox said. “Once we get that discovery–we’ve interfaced with the EMM, the MDM [enterprise mobility management and mobile device management]–we want to then help the agencies from a mobile threat perspective, in terms of additional capabilities on the EMM. To the extent that we can get additional capabilities on the devices themselves, that is a goal as well.”
Jim Quinn, senior advisor to CDM who was previously the program’s lead engineer, outlined the challenges. “It’s not simple,” Quinn said, often due to differing agency deployment considerations.
“Are they doing it as BYOD [bring your own device], are they doing it as COPE [corporate-owned, personally-enabled], are they doing it as government-controlled? Each one of those has a different security posture.” Quinn said. “How is it tethered back to the agency? Is it loosely-coupled or tightly-coupled? Those are all variations that have to be considered, because each one of those has a different threat path.”
But the goal they’re ultimately striving toward is oversight of all devices on agency networks, regardless of what type. “Every IP-addressable device, we want to make sure the agency has visibility to as well, and that includes all mobile devices,” Cox said.