The Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program offers a wide range of security benefits for Federal agencies. Still, a CISA official wants to help agencies unlock the program’s full potential.
During MeriTalk’s “CDM: The Multitool in Your Cyber Kit” webinar on June 23, CISA’s CDM Shared Services Portfolio Manager Geri Clawson talked about how CISA works with agencies gathering program feedback to help folks realize the full benefits of the program.
Clawson discussed MeriTalk’s latest research on the CDM program’s importance – since the Biden administration’s May 2021 cybersecurity executive order issued firm marching orders to Federal agencies to improve security.
The research found that 93 percent of Federal and industry CDM stakeholders say the CDM program has improved Federal cyber resilience in the past year. However, just 28 percent of Feds grade their use of CDM an “A” grade.
“I believe there may be some folks who are disappointed that CDM is not a silver bullet,” Clawson said of the research. “We do provide visibility but there’s still work to be done. I mean, that’s why it’s continuous, right? It’s a continuous diagnostics and mitigation program.”
“Unfortunately, I think because it is not a silver bullet and it’s not a one and done, there may be some expectations that were not met,” she added. “So, perhaps a paradigm change to treat CDM as the beginning of an effort to have continuous visibility, and that it is the start of continuous coordination between CISA and the agency to help improve what we can find today, perhaps that slight paradigm shift might help the expectation of what CDM brings.”
“The fact is, we provide visibility, not remediation, and I believe that might be why CDM has not received the ‘A’ score,” Clawson said.
Currently, Clawson said the CDM program’s shared service platform – comprised of the smaller Federal agencies that make up CDM Group F – has 75 eligible agencies to participate, and 50 agencies have already gone live with their CDM dashboard. According to Clawson, CISA plans to have 60 agencies go live by the end of this calendar year.
Clawson said CISA welcomes continued conversations with its customer agencies to ensure CDM is “more than just a compliance-based activity.” She said CISA values feedback from the agencies and incorporates that feedback into the next “iteration of tools” CISA provides, and how they are fed into the CDM dashboard.
CISA holds stakeholder meetings with its customer agencies every six months so that it can “have a dialogue about what we’re planning for the next six months” and ask for agency feedback, Clawson said.
Additionally, CISA talks to its agencies on a biweekly or monthly basis to discuss the steps for CDM implementation and operations. In both types of conversations, Clawson said CISA asks the agencies if the CDM program aligns with their priorities and “how can the things that we’re already providing you help meet some of these needs?”
“With the 50 agencies that we have today and 60 by the end of the calendar year, we are definitely making huge strides with our small agencies who want to do right and who want to follow the cybersecurity executive order tasks, as well as the binding operational directives,” Clawson said. “And they started doing that through CDM and hopefully we can continue to help them.”