DHS Continuous Diagnostics and Mitigation (CDM) is pivotal to improving government cybersecurity. While it’s critical, it has a lot of moving parts–and that can make it difficult to follow. MeriTalk sat down with Kevin Cox, CDM program manager at the Department of Homeland Security, to get a handle on the state of CDM, as well as an understanding of where the program goes from here. And, it’s quite a story–so I hope you’re sitting comfortably, feel free to grab a cup of coffee.
The mission of the DHS CDM is to fortify the cybersecurity of all civilian government data and networks by providing capabilities that deliver relevant, timely, and actionable information. Now under the stewardship of Kevin Cox, the program is working to accommodate lessons learned from earlier phases to ensure continuous improvement and build upon program successes. As technologies and threats have evolved, the program has strived to stay current, while remaining flexible, innovative, and relevant in helping government solve its cyber challenges and protect its networks and data.
Where Are We Today?
CDM is structured in four phases. The focus of each phase is:
Phase 1–What is on the network?
Phase 2–Who is on the network?
Phase 3–What is happening on the network?
Phase 4–How is data protected?
Partnering with GSA, the CDM program established the CDM Blanket Purchase Agreement (BPA) in 2012 and awarded task orders for Phases 1 and 2 starting in 2015. Both phases will wrap up by autumn 2018. DHS offers the Phases 1 and 2 capabilities to 23 CFO Act agencies–and as a shared service to more than 52 non-CFO Act agencies.
Phase 1–Laying the Foundation
Phase 1 focused on device discovery, the implementation of continuous monitoring sensors, and creation of a master device record. It allows agencies to shine a light into the recesses of their networks to understand their assets. Cox explained that Phase 1 has been a big success. It helped agencies, on average, find that they had more than 75 percent more assets attached to their networks than originally reported–in some cases that number was as high as 200 percent. But, discovery is not a one-and-done performance–the implementation of sensors is key to providing agencies with near real-time understanding of their inventory.
“Beyond discovery, it’s about automating to drive near real-time awareness so agencies can become more proactive in protecting their environments,” Cox said.
CDM + FITARA
CDM’s automatic discovery capability is attracting attention in the CIO Council and from GAO and the Hill who are asking questions about how CDM could help “cut the Gordian knot” on identifying Federal data centers and support agencies in keeping track of their software licenses–as required by the MEGABYTE Act of 2016. If CDM can help with counting, it could have a significant role to play in the FITARA Scorecard–Data Center Optimization Initiative (DCOI) and MEGABYTE are important categories that feed those FITARA grades.
Phase 2–Understanding the User Population
So, if Phase 1 is about devices, Phase 2 is all about the users. It focuses on a series of actions–identifying credentialed users, developing understanding of who has access to what resources, and checking to see if users’ privileges are properly aligned with their work responsibility/need to know. Further, it allows agencies to understand how users behave on the network and creates the master user record.
Moving Forward–CDM DEFEND, a New Acquisition Strategy
DHS is embracing a new approach for CDM acquisition moving forward. Known as DEFEND–Dynamic Evolving Federal Enterprise Network Defense–the next CDM acquisition strategy covers lifecycle maintenance for phases 1 and 2, as well as new functionality in phases 3 and 4 and the Dashboard.
Rather than create a new CDM BPA, the CDM PMO will utilize GSA’s Alliant and Alliant 2 Government-Wide Acquisition Contracts (GWACs) for DEFEND. And the PMO’s taking lessons learned from phases 1 and 2 to take DEFEND to the next level–that means expanding task orders from two-to-three years to five-to-six years, increasing the contract ceilings, and building in additional flexibility to support future requirements.
Phase 3–It’s Big, It’s Really Big
Phase 3 looks at what’s happening on the network. It will create a master system record, which aligns with the master device and master user records. This allows agencies to see what devices are connected to which systems. It also creates a master incident record, so that agencies can see what incidents are associated with which devices and systems. Through this effort, Phase 3 will standardize incident reporting–thereby enabling consistent incident reporting across the Federal enterprise. Phase 3 also will support incident response optimization and enhanced boundary protection. Additionally, it will begin providing cloud and mobility discovery and protections for the agencies.
Under the traditional, manual approach to FISMA certification, system owners and auditors would manually identify how system controls are configured. With the new CDM capabilities from phases 1 and 2 and ongoing assessment efforts in Phase 3, system owners will also be able to automate reporting for many of the key system controls and share this information with auditors. Additionally, with the implementation of ongoing authorization, another Phase 3 effort, agencies will be able to authorize their systems once and then monitor them continuously thereafter, as long as the security controls for the systems remain in acceptable ranges.
“Technology cannot change the paper burden alone,” said Cox. “In order for CDM and ongoing authorization to help agency CISOs achieve greater effectiveness and efficiencies, we need to engage in meaningful dialogue with the IGs–and that means sitting down with the Council of the Inspectors General on Integrity and Efficiency–CIGIE. In partnership with the IG community, we’ll be able to help agencies take advantage of the new automated capabilities. If we continue to do FISMA the same old way, then CDM is not being used to its fullest extent.”
Phase 4: Data Defense
The next CDM phase on the horizon focuses on securing the data. It’s about data protection, encryption, and, as needed, architectural system improvements. Phase 4 capabilities support the overall CDM program goals to identify cybersecurity risks on an ongoing basis, prioritize those risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.
“Today, each CFO Act agency has their own operational CDM dashboard,” said Cox. “And, we’re in the process of implementing a shared service dashboard for non-CFO Act agencies. These agency dashboards display object level data–so agencies can zero in on a specific device and identify its security posture.”
“The Federal CDM dashboard is also operational today for the DHS National Cybersecurity and Communications Integration Center (NCCIC),” said Cox. “The Federal dashboard ingests summary data feeds from the agency dashboards, allowing the NCCIC analysts to monitor security posture across the Federal enterprise. We’re still establishing the information exchanges between agency dashboards and the Federal dashboard. We have 17 CFO Act agencies feeding data–and the remaining six CFO Act agencies are scheduled to come on line in the next month. The CDM dashboard is not public facing as the information is very sensitive.”
And, DHS has plans for the dashboards to provide agencies’ with automated, continuous information that will support their cyber hygiene efforts and FISMA reporting starting in Federal fiscal year 2019.
“Our current goal for the dashboard is 72-hour data currency,” said Cox. “That’s a huge upgrade from today’s quarterly security updates. That being said, we will continue to make it even better. As we move into Phase 3, we will push to deliver a more real-time picture and provide greater value to the agencies and the Federal enterprise.”
AWARE–Cyber Hygiene Scoring
Better security is a journey, and the CDM PMO recognizes the requirement to keep moving. That’s why the CDM PMO is looking to roll out the Agency Wide Adaptive Risk Enumeration (AWARE), security posture algorithm in summer 2018. DHS is developing AWARE in partnership with the civilian agencies. The algorithm is modeled after other risk scores agencies have developed and it provides an indication if agencies are effectively patching and configuring their networks. AWARE is about cyber hygiene and reducing agencies’ attack surface.
Cox recognizes the AWARE algorithm does not fully measure risk management, but it’s a step forward. “Risk management is not just about which systems are patched and how many vulnerabilities exist on each device,” said Cox. “You also need to understand the significance of the system and a number of other factors. Patching doesn’t make you safer if you leave other doors open on critical systems. There’s work ahead for AWARE–but it’s a good first step.”
So, there you have it–CDM the story so far. Thank you to Kevin Cox and the CDM PMO for breaking it down–and mapping the road ahead.