Continuous Diagnostics and Mitigation (CDM) program manager Kevin Cox delivered an upbeat assessment of the program’s progress in helping Federal agencies fortify their networks against cyber attacks at MeriTalk’s CDM Central: the Age of the Cyber Defenders virtual conference on May 12.
Program Leadership Transition
Cox, who is leaving CISA to become deputy CIO at the Justice Department in the coming weeks, assured conference attendees that the CDM program will remain in good hands.
His replacement has not been named yet, but Cox said, “we’re working with leadership now to get the positions announced and keep things moving at the program level, and then work to identify the candidates to bring in and keep things moving forward on the upward trajectory that we’re on.”
“We worked over the years to build redundancy throughout the organization in each of the different functional regions to make sure that folks have everything documented and folks have deputies as roles change,” Cox said. “People take on new responsibilities and new positions so that we’re able to do ensure everything keeps moving forward.”
Cox said the CDM program is on a solid budgetary footing after pandemic-generated demand for its services began to outstrip resources in late 2020. He said the program received more money than expected for FY2021 and has “been able to put that directly to use in a number of key areas supporting the agencies, and the dashboard rollout.”
“We have also been working internally with the department over the past couple of years to ensure that the budget trajectory and the overall projections for future fiscal years are on the right trajectory,” Cox said. “So right now, we’re heading in the right direction, have the right support in continuing to use the funding that’s available on the critical work that we’re doing, and then as more funding becomes available, we have ways to quickly get it towards the tasks and keep the work moving.”
“We’re in good shape for FY 2021,” Cox said. “There’s always more than we could be doing, but I think in terms of being able to work on the critical tasks, we’re tracking well on that.”
Endpoint Detection Focus
Further on the funding front, Cox said that some of the $650 million infusion that CISA received earlier this year through the American Rescue Plan Act is being focused on improved endpoint detection capabilities – a key facet of the CDM program.
“In terms of the tranche of money that we did receive, it’s focused on endpoint detection response, endpoint threat detection and response, and identity and access management,” Cox said. The additional funding, he said, is allowing the program “to accelerate some of the things that we already had underway, as well as [provide] some additional support for cloud security – some of the areas we already were working, and we’ll be able to accelerate some efforts moving forward.”
“Within endpoint threat detection and response, it’s really being able to get that work developed, get those requirements developed, and work with all the different subdivisions within CISA … as well as the agencies to get their feedback in terms of formulating the requirements [and] the overall architecture,” he said. That endpoint threat detection and response work, he said, is “going to be very focused, but it’s on tasks that are very important to help the agencies get in place, as well as to really help broaden out some capabilities” already underway.
Cox said the CDM program was closing in on getting agencies fully up to speed on the first two program capabilities – asset management, and identity and access management – that are foundational to the subsequent capabilities of network security management and data protection management.
On the asset management front, Cox said “we’re pretty close there now” with agency capabilities, and that the program’s continuing rollout of second-generation dashboard infrastructure “will really help Federal leadership see where we are from, from the asset management perspective, be able to identify those remaining gaps.”
“We’re working closely with a number of agencies on those gaps, and we have good knowledge of what needs to be done but by and large, the program is nearing completion of that full asset management space and that asset management capability,” he said.
“Likewise, we’re in pretty good shape” on the identity and access management capability, Cox said. “One of the sub-capabilities for identity and access management is credential management, helping agencies understand all their potential users, and we’re really in good shape there,” he said. “There are a few gaps we’re still filling in, but by and large we know what those are.”
Another area “that we will continue to work where there are some gaps that we’re working to get filled quickly is privileged access management,” Cox said. He added, “that’s where some of the supplemental funding we receive will really benefit and help accelerate getting the privileged access management capabilities in place for the agencies, and really get some additional modules in place that will give them more real-time awareness of privileged access activity.”
Speaking of the recent spate of high-profile cyberattacks that have hit government and the private sector, Cox said that if “adversaries are on the network and trying to escalate privileges, those types of modules will sense that activity, alert the security operations folks to inspect and respond to anything that’s out of the ordinary. We’re pretty close in that space, but we do know the gaps, and are working to get those filled so that we can do more on the network security side and data protection side.”
Cox also reported progress on next-gen CDM dashboard installations, saying that 12 of the 24 CFO Act agencies have dashboards in place. “We’re still finalizing the data ingest for a handful of those agencies but by and large, that is all gone very smoothly,” he said.
“We’re continuing to expand beyond those 12, and the target is to have almost all of the CFO Act agencies onboarded with their agency dashboard by the end of the fourth quarter of FY 2021 in September,” he said. “There may be one or two that roll into the first quarter of FY 2022,” he added.
The upgraded dashboard infrastructure, he said, is yielding “extremely improved performance gains, much higher scalability … and the flexibility to plug in additional capabilities,” Cox said. “So everything right now on the dashboard front is tracking well.”
Asked about the outlook for network security management and data protection management capabilities, Cox said “that’s where filling those gaps for asset management and identity and access are critical so that we can really turn our attention and get tasks started to really help agencies in a number of key ways from a network perspective and overall visibility perspective.”
“As agencies have moved more and more to the cloud, we really want to accelerate the work we’re doing with the agencies, work with the cloud service providers, as well as with our own system integrators to get the right data … and identify what data is available that helps improve visibility,” he said. The program can help agencies “identify additional tools that would help provide that broader visibility of everything in the cloud, and really build out the right infrastructure from a cloud perspective so that agencies have as much visibility, as much certainty that that data is protected as they would in an on-prem environment.”
“We also want to do more with mobility … helping agencies understand all their mobile devices, and get additional mobile threat detection capabilities in place, and really continue to lean in on that,” he said.
Much of the program’s work with cloud and mobile security has taken place through pilots with agencies that Cox said help to provide proofs of concepts “because we want to make sure that we can construct the right approach and identify the key technologies.”
“We want to get lessons learned into our planning so that as we widen out the aperture to help support a broader set of agencies, that we’ve tested some things and we have a good sense of what’s going to work and what’s not,” he said. “We’ve gotten a lot of lessons learned from the different pilots we’ve done with the work with cloud,” including incident response reporting and optimization, and network access control, he said.
“We’re looking to, as the funding becomes available, expand those out to a wider set of agencies,” he said. “Likewise, as we look at endpoint detection and response, [we will] look to work with a set of agencies to get lessons learned and then go out with the broader approach,” he said. “We’re looking to do a lot more with network security management in the near future and beyond.”
Finally, Cox spoke warmly of the program’s relationships with Federal agencies and industry in identifying the paths forward for progress with CDM.
He said it’s “critical” that the program and CISA continue to “nurture that relationship with industry and with academia to bring everything to the table to help identify the right way forward, the right solutions, technologies, and processes, and then work to deploy those approaches and work with the agencies to identify what works in their particular environments and make adjustments, be flexible, be nimble, to make sure that at the end of the day we’re meeting the capability requirements.”