Apr 12 2016

GITEC 2016: DHS’s CDM Security Program Has Benefits, but a Long Way to Go

Federal officials agree that the Continuous Diagnostics and Mitigation effort has helped agencies beef up cybersecurity, but there is still more work to do.

One of the most ambitious cybersecurity programs that stretches across the federal government has achieved a great deal, but is only partly complete, according to several federal officials. During a panel discussion at the 2016 GITEC Summit in Baltimore, officials praised the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) initiative, but noted that the multiyear effort still has a lot of room to mature.

In 2013, DHS teamed up with the General Services Administration on a five-year, $6 billion effort to give civilian agencies the tools and services required to monitor their IT systems and then respond almost instantaneously to vulnerabilities. CDM identifies cybersecurity risks on an ongoing basis, then prioritizes the risks based upon how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first, according to DHS.

The first phase of CDM focused on securing endpoints, managing hardware and software assets, as well as configuration management and vulnerability management. The second phase, which is coming up, will focus on access control management; security-related behavior; and managing credentials, authentication and privileges.

Benefits of CDM

Commerce Department CISO Rod Turk said “we’re all in for CDM.” Turk, who also serves as the director of the office of cybersecurity at Commerce, said that the CDM program has been “one of the first opportunities that we’ve had to bring in a shared-services approach that has a common functionality across a very diverse set of functionalities.”

Turk explained that the agency has a wide range of components, from the Census Bureau to the National Oceanic and Atmospheric Administration and the Patent and Trademark office. CDM has helped the agency secure those different components.

CDM gives the CISO’s office at Commerce a broad visibility into the agency’s security status but lets the different agency components actually put patches in place and conduct mitigation, he said.

Other agencies are working with Commerce on CDM, Turk noted, adding that he set up a working group with the CISOs of the departments of Veterans Affairs and Agriculture to help implement CDM more efficiently.

Challenges Lie Ahead

Despite the benefits of CDM, finishing up the current phase and starting the next one will bring with it some clear hurdles. Agriculture CISO Chris Lowe said that the agency is operating an environment with 57,000 end-user devices, many of which are literally out in the field.

“There is no magic wand” to make them secure overnight, Lowe said, adding that endpoint security needs to be worked, reworked and prioritized relative to the agency’s mission priorities.

“Technology is easy,” he said. “At the end of the day, it’s the cultural challenge that makes or breaks it.”


Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.