The Continuous Diagnostics and Mitigation program, the federal cybersecurity initiative run by the Department of Homeland Security with assistance from the General Services Administration, is certainly new. But the basics of CDM are rooted in cybersecurity best practices that agencies are well aware of and should be utilizing.
“We have often failed with what you might call cyberhygiene,” John Banghart, director of federal agency cybersecurity at the White House, said of government cybersecurity efforts. “Configuration management, vulnerability management, asset management — if you’re familiar with CDM, those things should sound pretty familiar.”
Banghart told attendees at MeriTalk’s June 18 Cyber Security Brainstorm program in Washington, D.C. that the keys to securing federal IT systems and making the CDM program a success are foundational technologies that agencies should already understand well.
“The work that DHS has done with CDM is critically important because, while it’s not the latest and greatest thing in terms of analytics or Big Data or whitelisting — which are all great technologies and things we should be looking at — it’s the cyberhygiene stuff we need to do a better job with,” he said. “And CDM, as a program, will help drive us in that direction.”
But demonstrating the importance of going back to the basics to a new generation of cybersecurity professionals — a generation the government is keen on attracting —may take some doing. Banghart spoke of addressing a group of graduate students about opportunities in cybersecurity.
“I told them, ‘If you really want to make a difference in cybersecurity, sure, you could be thinking 10 years out, but I would love for you to figure out how we can improve the way we patch our systems or how we can reduce the number of software flaws in the first place,’” he said. “Their eyes started to glaze over because this is an old topic. It’s not a sexy topic.”
One new wrinkle Banghart expects to come from CDM is automated reporting. In his role on the White House National Security Council, he helped figure out how many Windows XP systems were still running throughout the government. Banghart said he received a spreadsheet from DHS that had the number of XP machines divided into two columns: one for the number of machines as reported by agencies, and another for the number of machines that were reported automatically via the Security Content Automation Protocol (Banghart led the SCAP program when he worked at the National Institute of Standards and Technology).
“Out of 60 agencies on that spreadsheet, there was only one case where that number was the same,” he said. “In one case, the amount of self-reported [XP machines] was 27; the amount [SCAP] reported was 27,000 and change…. We need to be able to get at that accurate information. And my assertion is that the machine-readable data — the automated systems — are going to get us closer than going around and asking, ‘How many Windows XP systems do you have?’”
Meanwhile, agencies are looking at ways to take the tried-and-true practices embodied by CDM and apply them in new areas. Andrew Onello, deputy chief information security officer at U.S. Citizenship and Immigration Services, said at the Cyber Security Brainstorm that his agency is using CDM as a platform to go after rogue applications.
“We’ve moved away from an approach of just looking at our sensors, and we’re looking into applications,” he told attendees. “The network’s great. We’re moving into a maturity model that’s in place with CDM. But we’re now also leveraging it to get us into the application layer and start looking more at the code, start looking at what people are actually doing, and bring some transparency to the application layer.”
Ultimately, agencies believe that the transparency and visibility afforded by CDM will pay off with better cybersecurity.
“It’s a change of culture as we try and move to more real-time and higher-fidelity reporting that we’re just not getting anymore with [the Federal Information Security Management Act],” said Paul Cunningham, chief information security officer at the Department of Energy. “If FISMA worked, we wouldn’t be having this discussion.”