ELC 2017: A New Era Approaches for DHS’s CDM Cybersecurity Program

Most agencies are still in the early stages of implementing the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, but DHS wants to ensure that agencies can use CDM to protect their networks and IT for years to come.

DHS is working with agencies to have them feed cybersecurity threat information captured by CDM into a federal dashboard, which will give DHS a broader view about IT security threats across the government. Additionally, DHS is partnering with the General Services Administration to roll out a new procurement vehicle so that agencies can more easily add cybersecurity tools in the years ahead.

Speaking at a session at the 2017 ACT-IAC Executive Leadership Conference in Williamsburg, Va., officials from DHS and GSA said that although agencies have made progress on getting CDM in place, they need more time to implement it as cybersecurity evolves. DHS runs the CDM program in partnership with the GSA.

CDM, launched in 2013, allows agencies to monitor their IT systems and then respond almost instantaneously to vulnerabilities. The program enables agencies to prioritize the risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial off-the-shelf tools — hardware, software and services — that agencies can access via a central fund.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

As FedTech recently reported, the program consists of four phases of activity designed to provide network administrators with real-time (or near real-time) information about the state of their networks.

Each phase is designed to answer specific questions:

• Phase 1: What is on the network?
• Phase 2: Who is on the network?
• Phase 3: How is the network protected? What is happening on the network?
• Phase 4: What role exists for emerging tools and technologies?

A New Dashboard for CDM

Kevin Cox, program manager for CDM at DHS, said that DHS approaches CDM with an “ABCD” model that captures and surfaces threat information. In the A layer, sensors in the network give admins visibility into what devices are on the network and how users are acting. The B layer takes that information and standardizes it.

That information then feeds up to agency dashboards in the C layer. DHS is working with agencies to produce reports based on those dashboards that let agencies know what their vulnerabilities are and how they can be patched. The D layer is the federal dashboard, which DHS is standing up and which will collect the feeds from all of the agency dashboards to give a governmentwide view of threats.

DHS's Kevin Cox, left, speaks with GSA's Jim Piché about the CDM program at ELC 2017. Photo credit: Phil Goldstein

Last week, Cox said, the Environmental Protection Agency was the first to exchange data with the federal dashboard, which is being built by RSA Archer, Cox told FedTech, and is being run inside DHS’s protected operating environment. DHS expects a wave of agencies to connect to the federal dashboard by Thanksgiving and plans to have the dashboard fully deployed by February 2018.

Every CFO Act agency has its dashboard up and running, Cox said, and by February DHS plans to launch a shared service that will serve as a multitenant dashboard for smaller agencies. That shared-service platform will feed into the federal dashboard, and could be a model for other CDM shared services for larger agencies, Cox said.

DHS and GSA Prepare for the Future with DEFEND

The federal dashboard isn’t the only new part of CDM. DHS and GSA want to make it easier for agencies get cybersecurity equipment and services.

In August, Federal News Radio reported, DHS and GSA released the first new task order, called DEFEND (Dynamic and Evolving Federal Enterprise Network Defense), under the Alliant governmentwide acquisition contract. DEFEND replaces blanket purchase agreements (BPAs) that expire in August 2018. DHS and GSA will allow systems integrators to compete for task orders.

Cox emphasized that the government needs industry’s help to protect agencies’ IT assets. “We, DHS and government, don’t have all of the ideas in this space,” he said. “We need industry’s help to get the most work and the most effective solutions in place.”

Jim Piché, homeland security director for GSA’s Federal Systems Integration and Management Center, said that under the BPAs, from 2014 to 2016, GSA and DHS helped agencies buy tools to find out what was on agencies’ networks.

CIOs, CISOs and vendors are smarter now, Piché said, and the DEFEND task order will allow agencies to more quickly deploy cybersecurity technology as the IT and threats evolve. DEFEND will allow agencies to bring on new technology “without being caught up in acquisition cycles.”

DEFEND task orders run five to six years, Cox said, which “gives us an opportunity to do a lot more work, and we need to take that opportunity, because there still is a lot more work to do.”

The DEFEND task orders will allow DHS and GSA to issue requests for service for discrete kinds of cybersecurity work, including cloud, access management, mobile and more. The task orders will be incrementally funded, Piché said: DEFEND “allows us to redefine, ‘What is better cybersecurity?’ in 2019 and 2020. Government can be inspired by industry innovators, and government will make requests for service.”

The new task orders will allow agencies to define the services they need and how they will be deployed. The systems integrators will then propose a cost, and the government will work with the company to come up with “a workable solution,” Piché said.