While a clear majority of stakeholders in the Continuous Diagnostics and Mitigation (CDM) program believe that CDM is more important than ever in defending against cyber breaches, only a small fraction praise CDM for its ability to build civilian government network resilience following a breach.
Those findings come from MeriTalk’s recent survey of 100 Federal and industry CDM stakeholders in the wake of the high-profile cyberattacks via SolarWinds Orion and Microsoft Exchange products.
The CDM: More Critical Than Ever study found that 78 percent of stakeholders believe the SolarWinds breach increased the importance of CDM. But only 20 percent awarded the program an ‘A’ grade for its ability to help agencies build network resilience after those kinds of breaches.
Further, 76 percent said that the CDM program needs a “post-SolarWinds makeover” by increasing prioritization of network security management, identity and access management, and data quality/protection. And an even larger share – 93 percent – agreed that the SolarWinds breach should be the motivation to completely rethink Federal cybersecurity.
In the short-term, 53 percent of CDM stakeholders expect to face challenges redirecting funds to cyberattack recovery efforts, and 43 percent see difficulties in consolidating or reprioritizing government-wide cyber programs. Stakeholders also anticipate challenges related to staff redirected from CDM to recovery efforts, a loss of confidence in CDM from senior leadership, delayed program checkpoints, and delayed zero trust progress to support recovery.
These expected challenges can be seen as running in lockstep with the reasons that the Federal government’s cybersecurity measures failed to protect systems against the SolarWinds hack in the first place. Among the reasons stakeholders cited for Federal cybersecurity measures failing to detect the SolarWinds intrusion for several months: a lack of consistent application of cybersecurity best practices; the sophistication of the hack; a lack of coordination with allies and/or industry partners; slow implementation of Federal cybersecurity programs; and a lack of Federal capabilities to address unknown or zero-day threats.
To build better resiliency into networks and systems, stakeholders agree the biggest improvement that the CDM program can make is to improve integration with other cyber efforts like zero-trust adoption. Further improvements that stakeholders identified include more consistent funding; greater support from executive leadership; increasing procurement speed; and reducing the complexity around CDM acquisitions.
“The SolarWinds hack highlights what many of us on the Intelligence Committee who study the issue seriously have been saying for years – cybersecurity is one of the most urgent issues facing our nation,” said Rep. Jim Himes, D-Conn. “Clearly, there is an immediate need to ensure that government is making strategic investments, prioritizing cyber defense, and working closely with the private sector to protect from the economic and national security harms of cyberattacks.”
Pushing Zero Trust Forward
The future of maximizing the cyber resilience of networks and systems involves improving zero trust adoption, 85 percent of stakeholders say, along with providing more consistent security funding.
The biggest step in adopting CDM principles in support of a zero-trust mindset is to implement multi-factor authentication, 58 percent of stakeholders say. Other critical components to implementing zero trust include: providing zero-trust training to IT and non-IT workforce; investing in identity and access management; employing an identity management system; and evaluating and configuring trust relationships.
The CDM: More Critical Than Ever study is available for complimentary download.