Federal agency progress in implementing the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program would benefit from a kick-start from Congress in the form of more funding for the program, along with money for agencies that have to pay for the additional security capabilities on an ongoing basis.
That was one recommendation from former Department of Homeland Security (DHS) CIO Karen Evans at MeriTalk’s CDM Central: the Age of Cyber Defenders on May 12.
Evans – who was CIO at DHS for most of last year, and before that was assistant secretary for cybersecurity, energy security, and emergency response (CESER) at the Department of Energy from 2018 to 2020 – explained that CDM and zero trust security concepts work together, but that improving security at Federal agencies remains no easy road.
“One area that I think Congress could really help is the way that the CDM program is funded,” Evans said at the conference. “The initial implementation monies are supposed to be funded through the CDM program. So when you look at what CISA’s budget is, the demand exceeds what the funding is.”
“And then you have to bring into sync the operations and maintenance costs of the ongoing CDM program,” Evans added. “So, I think Congress could really help with knitting that together so that we could accelerate the implementation of CDM. … Then it enhances the role that CISA really needs and it improves [the CDM program], based on what the intent really is for.”
When asked what the priorities should be for the $1 billion infusion into the Technology Modernization Fund (TMF) provided by the American Rescue Plan, Evans turned to implementation of zero trust security architecture across the Federal government.
“Really dealing with zero trust architecture and having CISA really provide that leadership all about how to integrate those principles both into the modernization of what the agency is doing and then through the actual implementation of the CDM program [should be the focus],” Evans said. “I think if the funds are applied that way, it would really strengthen the Federal civilian agencies.”
Recent high-profile intrusions have spurred “all-of-government” approaches. Evans said collaboration in these cases is key, and among those, pointed to the relationship between CISA and DHS.
“I think the unique relationship of the DHS CIO with CISA gives it an opportunity to really integrate and update some of the things that you’re talking about for the improvement of the CDM program,” Evans said. “The CIO is really responsible for the operational aspects, and so when we were implementing the CDM program, we kind of leapt ahead based on because we were in a virtual environment and the threat landscape changed.”
Evans said there is a lot of flexibility in how CDM is implemented, even if the implementation schedule itself is pretty rigorous.
“The rigorous implementation schedule, I think, is where some people may get caught up in what they think, ‘Okay, maybe it’s not as flexible,’” Evans said, adding, “because CISA is held accountable to getting these milestones implemented, and many agencies are held accountable for getting the milestones implemented.”
“The challenge comes with the implementation,” Evans continued. “Because you think it’s going to be a certain way, and then when you get into the actual implementation, you’re finding out how you have to work with the component organizations within your department.”
“What you’re really trying to do is get that visibility so they can be seen all the way up into the dashboard, all the way over to CISA so that CISA has that government-wide view. That takes a lot of engineering and takes a lot of partnership within the components, within the department, and CISA to make it happen,” she said.