The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program office is preparing to work with five Federal government agencies on data protection management efforts, CDM Program Manager Kevin Cox said today at an event organized by RSA and the Advanced Technology Academic Research Center (ATARC).
Data protection management was formerly classified by the CDM program as the final step in the program’s four-phase effort to help put agencies on a better cybersecurity footing (the first three are asset management, identity and access management, and network security management). While the program has done away with the “phases” nomenclature in favor of emphasizing a more holistic and non-sequential approach, its pending work to bring data protection management to selected agencies indicates that some agencies are preparing to work on closing the full circle of the program’s stated aims.
Data protection management, the program office has said, focuses on “how data is protected” with capabilities including identification of cybersecurity risks on an ongoing basis, prioritizing risks based on potential impacts, and enabling cybersecurity personnel to mitigate the most significant problems first.
Speaking at today’s event, Cox said his office was just about ready to “go out with work” for the data protection effort at five agencies, which he did not identify in his remarks. That work, he said, includes development of Requests for Service, encryption, and data loss management.
“There’s more to come here,” he said.
Cox reiterated that his office continues to work on a new CDM dashboard contract, and now expects to have something to announce in May.
Commenting on the general CDM landscape, Cox said:
- The program continues to work with Federal agencies on “filling gaps” in the program’s initial two capabilities, especially among agencies that were not early participants in the program.
- While the program initially focused on on-prem networks, and will continue to do so, it is also in step with agencies that are adopting more cloud services, and is working with more cloud service providers in that regard.
- The program is working with agencies on making sure they have consistent data quality to inform agency and Federal CDM dashboards. “At the end of the day it’s about the data,” he said, adding, “if the data is good you can do a lot of things.”
- For the remainder of FY 2019, the program is working on operationalizing agency and Federal dashboards, and in the October timeframe will be ready for a “soft rollout” of its AWARE (Agency-wide Adaptive Risk Enumeration) algorithm that will help agencies track their progress on overall cyber hygiene.
- In the longer term, the program wants to develop a version 2.0 of the AWARE algorithm that can generate a score down to the system level, rather than just the agency level.
- As agencies sign onto new Enterprise Infrastructure Solutions (EIS) contracts, the CDM program “will be aligning with that” as part of the larger objective to follow agencies in their path to cloud services and security.
- The CDM program will steer clear of creating a vast repository of network sensor data in order to avoid creating an attack target as the volume of that kind of data continues to grow rapidly. That data management effort, Cox said, could be “Herculean” but added, “I think it’s possible.”
“We want to continue to challenge our assumptions” with the CDM program, he said, “and bring solutions that the agencies need” to fight adversaries and to achieve “a really solid defense footing,” Cox said.