Federal agency demand for CDM (Continuous Diagnostics and Mitigation) security technologies has plenty of room for continued growth based on a GAO report released in late December, which showed mixed progress on agency deployment figures for the first half of 2018. The report underlined the importance of CDM progress and chided Federal agencies for being slow to implement the government’s approach to network security.
The CDM Program–administered by the Department of Homeland Security (DHS) in partnership with the General Services Administration–delivers tools and capabilities to Federal agencies to identify and prioritize cybersecurity risks and enable mitigation efforts.
The aims of the program’s four phases are well known to agencies. Stepping into 2019, the program office is doing away with the term “phases” to focus on the holistic nature of the program, and to note that implementation will be ongoing, rather than sequential.
Asset Management (formerly Phase 1) focuses on device discovery, implantation of continuous monitoring sensors, and management of software, security configuration settings, and software vulnerabilities;
Identity & Access Management (formerly Phase 2) covers management of user credentials and access privileges, and security-related behavioral training;
Network Security Management (formerly Phase 3) aims to manage “what is happening on the network” with capabilities including network and perimeter components, host and device components, data at rest and in transit, user behavior and other activities, responding to behavior incidents, and mitigating security incidents to prevent further propagation; and
Data Protection Management (formerly Phase 4) focuses on “how data is protected” with capabilities including identification of cybersecurity risks on an ongoing basis, prioritizing risks based on potential impacts, and enabling cybersecurity personnel to mitigate the most significant problems first.
Strong Adoption Push
Since its launch in 2012, CDM has become a household word in Federal agency CIO suites, and DHS offers Phase 1 and Phase 2 capabilities to the 23 CFO Act civilian agencies and to 52 non-CFO Act agencies as a shared service. The CDM program established a blanket purchase agreement in 2012, awarded task orders for Phase 1 and Phase 2 in 2015, and was set to wrap up both phases by late 2018.
The newest acquisition vehicles, known as CDM’s Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) task orders, were awarded throughout 2018 and will provide increased access to cyber capabilities into the future. DEFEND will not only provide Phase 3 tools, but all CDM capabilities across the full spectrum of phases.
Agency CIOs routinely have good things to say about CDM.
For example, Rod Turk, the Commerce Department’s acting CIO, said in December that his agency is working to further integrate CDM technologies into its networks, and he singled out CDM as one of the “first shared services in the government” that is now “well entrenched” at the Commerce Department.
In late November, Sanjay Gupta, chief technology officer at the Small Business Administration, explained that SBA is working with DHS to run a pilot program to fulfill CDM requirements in the cloud. “We at the SBA are trying to work with DHS to help to move the needle and try and see how the CDM program can be aligned with the cloud,” he said.
The new DEFEND task orders will respond to evolving needs using a request for service (RFS) process that allows agencies to bring in tools to meet cloud, mobile, boundary protection, and any new capabilities that emerge as the program continues into the future.
“Modern identity services, purpose built for cloud, that seamlessly integrate with existing CDM toolsets are playing a key role helping the leaders accelerate secure digital transformation,” commented Ted Girard, vice president public sector at Okta.
And the CDM program received a significant push of support in Congress last year as the House in September approved a bill that would codify the CDM program into law and ensure DHS “can continue to rely on and evolve” the program to understand and defend against cyber threats, according to Rep. John Ratcliffe, R-Texas, who sponsored the House bill. A Senate version of the same bill never made it out of the Senate Homeland Security and Governmental Affairs Committee, but the legislation’s success in the House makes it more likely the bill could see action again in Congress this year.
And neither is the CDM program office standing still as it continues to roll out more sophisticated services to agencies. In late November, Kevin Cox, DHS’ CDM program manager, said the agency is looking to give agencies a cyber hygiene score, redesign its dashboard, and tie the program together with other cybersecurity efforts.
He discussed the new Agency-wide Adaptive Risk Enumeration (AWARE) algorithm and how it will keep agencies accountable for their cyber hygiene. “What AWARE is, is similar to a credit score,” Cox said. “It’s looking at a couple of key variables, and then assigning a score to that agency to help understand how that agency is doing overall with that cyber hygiene process. By looking at the total number of endpoints against the score, we can come up with a per-endpoint average, so you can look agency by agency and see how each agency is doing compared to the other agencies, and we’ll be able to have a scale as to what agencies are doing well, and where they might need additional support.”
And it’s more likely down the road that CDM performance becomes part of a grading component of the House Oversight and Government Reform Committee’s FITARA (Federal Information Technology Acquisition Reform Act) Scorecard. The scorecard issued by the committee in December featured a preview of grading about how agencies comply with the 2014 Federal Information Security Modernization Act (FISMA), which aims to improve Federal government cybersecurity through the CDM program, among other steps.
“The FISMA category acknowledges better cyber hygiene and greater transparency as top priorities,” commented Okta’s Girard. “We can leverage the lessons learned in the CDM process and apply them across agencies for more consistent cyber programs without reinventing the wheel.”
GAO Flags Agency Progress
But despite several years of effort to address an ever-increasing threat to agency networks, uptake of the program by major Federal agencies still continues to be a work in progress.
In a report issued December 18, 2018 that tracked implementation of CDM program phases by the 23 CFO Act civilian agencies as of June 2018, GAO reported that only eight agencies had fully implemented CDM Phase 1, and that 15 were still in the “partial implementation” category.
For CDM Phase 2, GAO found that only two agencies had fully implemented, 17 agencies had partially implemented, and four had “not implemented at all.”
Less surprising because of its relative newness, CDM Phase 3 as of June 30 had only been partially implemented by four agencies, while 19 had not implemented it at all, GAO said.
GAO said that agencies’ implementation status was impacted “at least in part” by “delays in DHS’s deployment of its program phases,” and warned that “as a result, Federal systems will remain at risk until the program is fully deployed.”
Using separate and older figures generated from FY 2017 data, GAO tracked CDM implementation figures across the 23 CFO Act civilian agencies for FY 2017 and found cause–although somewhat dated–for some concern.
Among other conclusions from the FY 2017 data, GAO cited agency Inspector General reports that showed 17 of 23 selected agencies “reported that their agencies had not effectively implemented their information security programs and had significant information security deficiencies associated with internal control over financial reporting,” and that 17 agencies did not meet all nine of their cybersecurity cross-agency priority goal targets.
Those and other figures led GAO to conclude in December that “many agencies have not effectively implemented the Federal approach and strategy for securing information systems,” and that until they “more effectively implement the government’s approach and strategy, federal systems will remain at risk.”
While Federal agencies have undoubtedly improved on their CDM program implementation rates over the intervening months since the end of FY 2017, the general tenor of GAO’s findings issued at the end of 2018 points to a need for more work.
GAO recommended, among other steps, that DHS direct its Network Security Deployment division to “coordinate further with federal agencies to identify training and guidance needs” for implementing CDM and the National Cybersecurity Protection Systems’ Einstein program. And it said DHS should work with OMB to “follow up with agencies to identify obstacles and impediments affecting their abilities to implement intrusion detection and prevention capabilities.”
DHS concurred with its recommendations, GAO said.
The program has evolved dramatically over its more than six-year history, perhaps most prevalently in the area of acquisition. CDM Program Manager Kevin Cox has indicated that the new DEFEND task orders represent one of the biggest examples of “lessons learned” for the program.
Shifting away from blanket purchase agreements now means that agencies aren’t saddled with a “one-to-many” solution at previously agreed-upon pricing. The DEFEND task orders allow each of the CDM integrators to match products to agencies’ unique needs.
The White House is reinforcing this new acquisition approach. OMB, in its updated FISMA guidance released in October 2018, said that agencies must “provide sufficient justification should they pursue acquisition of tools with continuous monitoring capabilities that are not aligned with current or future CDM acquisition vehicles.”
The onus is also shifting to those agencies to establish full control of their cyber posture. The FISMA guidance stressed that agency heads themselves “are ultimately responsible for ensuring that their respective agencies maintain protections commensurate with the risk of harm of a compromise.”
In practice, it will be interesting to see how that guidance will trickle down from leadership to actual IT personnel. In private circles, government employees working on CDM implementation have stressed the need for training services for their staffs as known threats evolve and new threats emerge.
The DEFEND RFS process has been designed with that need in mind. Agencies can acquire training and support for their human capital, in addition to actual technology needs.
The support from the vendor community has likewise been robust. Private sector technology companies, in closed-door sessions with agencies, often urge those agencies to bring their subject matter experts to vendor technology labs. The goal is for agencies to engage with the commercial side proactively, have questions answered, and learn what capabilities best suit each agency’s mission, cyber architecture, and overall environment. The way DEFEND is structured, it’s no longer a game of selling the “shiny object.” Technology companies must articulate the why, and agencies can take that knowledge to develop a strategy alongside the DEFEND integrators.
The process will be ongoing, because cutting through an immense sprawl of cyber tools is no easy task. The CDM Approved Product List features hundreds of thousands of tools, but those on the inside know that the list is just a baseline catalog. Drilling down on what an agency needs will be established through continued collaboration between integrators, vendors, and government’s boots on the ground. Dialogue between government and the private sector now takes on even greater importance.