The acting director of the Cybersecurity and Infrastructure Security Agency (CISA) told senators on March 18 that CISA is making efforts to complete deployment at Federal civilian agencies of the first two phases of the Continuous Diagnostics and Mitigation (CDM) program by the end of this year as part of a push to shore up Federal cybersecurity after the SolarWinds Orion hack.
CISA Acting Director Brandon Wales discussed that CDM deployment goal at a hearing of the Senate Homeland Security and Governmental Affairs Committee that looked at the Federal response to the SolarWinds and Microsoft Exchange cyber attacks.
Sen. Maggie Hassan, D-N.H., said “it’s clear we need to improve CDM,” and noted that some Federal agencies have had problems with deployments. In particular, she asked what CISA, along with the Office of Management Budget (OMB), are doing to make sure that agency CDM deployments are far enough along to include monitoring of all devices on networks.
“We are focused on the small number of agencies” that have had problems with deploying CDM tools, Wales responded. He said CISA has had “success in getting almost all Federal agencies … to a common baseline” of CDM deployment.
“There are some outliers,” he said, adding, “we are working hard to close out” deployments of the first two phases of CDM at all agencies in 2021.
The first two phases of the CDM program focus on deploying network sensors and tools to identify and manage network assets and vulnerabilities and to manage network user credentialing and authentication. The program is in the process of rolling out new dashboards at the agency and CISA levels that help provide greater visibility into the data produced by those efforts. The first two phases of the program are considered essential precursors to the second two phases that focus on achieving better network security and data protection management.
“We believe that CDM is really the foundation to make sure we can get capabilities out to agencies” and “have a common baseline of tools,” Wales said. After that, moving to the third and fourth phases of CDM will yield “deeper insights into what is happening at Federal agencies,” he said. Currently, Wales said, CISA faces limitations “seeing into” agency networks.
Testifying at the same Senate hearing, Federal CISO Christopher DeRusha said his office is “aware of some challenges at certain agencies for implementation” of the CDM program. Helping agencies to speed their implementation is a “priority for CISA and OMB” to help realize the “full vision” that includes real-time network monitoring and the use of all CDM data up to the CISA-level dashboard.
Wales told Sen. Hassan that the $650 million of new funding coming to CISA through the American Rescue Plan Act will help the agency put in place better endpoint detection and response tools that “will give us better ability to respond and spot anomalous behavior before it moves into a network.”
“We have now come to the point where those more sophisticated tools are within our reach,” he said.
Increasing CISA’s visibility into Federal agency networks, and driving adoption of network architectures toward zero trust concepts were among four strategic areas in which Wales said he was seeking improvements.
Regarding the help that CISA provides to agencies, Wales said his agency acts “as a resource” to supplement services that agencies are already getting from their engagements with cybersecurity firms. During the response to the SolarWinds hack, he said the more substantial parts of CISA’s assistance to agencies include “providing cloud-based forensics” that show agencies what is happening in their cloud-based networks.
“That’s a positive part of the story,” he said. “We are very happy with the degree of collaboration we are getting” with agencies when it comes to looking at compromises, he said.
Wales also said that CISA was seeing success in getting quicker Federal agency responses to binding operational directives that it issues to fix critical vulnerabilities. Deadlines to close those vulnerabilities used to stand at 30 days, but now are closer to 15 days. “Agencies have gotten better at this,” he said.
Ultimately, Wales said, CISA wants to make it easier to conduct threat “hunting” activities on agency networks, but currently needs permission “to install our stuff on their networks.” He said the agency was looking to put out guidance in the “very near future” on whether it needs to make contract adjustments to enable that ability.
Sen. Gary Peters, D-Mich., chairman of the Senate committee, said the panel plans to hold more hearings on the hacks “as we look at ways that Congress can support your efforts.