CDM is all about numbers – $6 billion, 17 primes, legions of subcontractors, and one big question. Is the shiny new program making Uncle Sam’s cyber security safer? This’ll be a focal point of the Cyber Security Brainstorm on June 18 at the Newseum. More than 250 Fed cyber security execs have registered – so space is tight. But back to the question – how’s CDM doing? Are the customers satisfied?
Under the Hood
Only one way to find out – take a peek under the hood. So, MeriTalk’s Cyber Security Exchange asked Fed cyber security execs in the agencies if CDM’s a Lamborghini or a lemon? We put the analysis wrenches down – and rolled out the CDM: Under the Hood study on Monday.
Good First Lap
DHS tells us that agencies burned rubber to meet OMB’s CDM deadlines. More than 96 percent of agencies met the April 30 deadline to identify a CDM manager in their agency. More than 87 percent met the May 30 deadline to deploy products to support the new security management approach.
Find the Accelerator, Please
Quizzed about roll out and task order processing timing, 58 percent of Feds want to accelerate program phase roll out. Fifty-one percent want phase one solutions task orders processed more quickly – flag for Jim Piche and his team at GSA. Providing recommendations on how frequently to refresh security assessment and discovery information, Feds want more real-time updates. Today, the plan for CDM is to provide updates to agencies every 72 hours. Ninety percent of Fed cyber execs want daily updates, and 56 percent want updates every hour. Thirty-two percent want real-time intelligence.
As the cyber security market shifts from compliance to risk management, CDM corners like it’s on rails and eats up the asphalt on the straightaway. Asked about the benefits CDM provides in their agencies, Feds revved their engines. Fifty-six percent say CDM reduces operational risk. Fifty-five percent point to enhanced risk prioritization – allowing cyber security pros to get to the worst issues first. Fifty-four percent point to quicker risk mitigation times – and 51 percent say CDM reduces time spent on paperwork.
FISMA Fork in the Road
Speaking of paperwork, it’s impossible to put CDM on the lift without road testing it against FISMA. I asked OMB about CDM and FISMA – do agencies still need to pay for FISMA if they’re doing CDM? OMB clearly said yes. “Yes. FISMA is the law.” The study provides interesting insight on the relationship between cyber security’s favorite acronyms – LOL. The net up front – FISMA’s far from RIP. Only 13 percent of Fed cyber execs consider FISMA OBE – saying that they have enough data to do away with FISMA. Fifty percent say they need FISMA today until CDM produces more data. Twenty percent say CDM will never replace FISMA. Interestingly, 17 percent are unsure.
Fed cyber security leads tell us they spend 25 percent of their cyber security budgets on FISMA compliance. Chipping in on future plans for FISMA reporting provides important insight on how CDM and FISMA can run together. Thirty-six percent plan to automate FISMA monthly reporting. Forty-two percent plan to swap out the automated dashboard for today’s quarterly/annual reports. Disappointingly, 24 percent have no plans whatsoever to change their reporting behavior.
Real takeaway, NIST and DHS need to get together to tell one story. How do these programs fit together –and what’s the roadmap for the future? And, speaking of confusion, or perhaps insecurity, the Federal cyber security initiatives need a branding makeover. How will the government achieve clarity if it keeps coming up with new terms?
Seems cyber execs like their new Streufert speedster. Looking down the road, Feds point to training, budget, legacy integration, technical complexity, culture, acquisition, and leadership supports as major speed bumps to accelerating CDM – check out the study for the stats. What do they need to pimp their CDM ride? Fifty-eight percent of Feds want more analytic capabilities. Next on the grid are critical application resilience, common trusted identities, automated tools, and enhanced RoI metrics – again, check out the study for stats.
So, there you have it, the numbers on CDM. If you’re interested in the voice track, we’ll look forward to meeting you in the pits at the Cyber Security Brainstorm at the Newseum on June 18. John Streufert’s in pole position on the CDM panel.