The Department of Homeland Security is moving ahead on several fronts to accelerate cybersecurity efforts under its Continuous Diagnostics and Mitigation program, with several major CDM contracts expected to be awarded this summer.
DHS will also ramp up efforts to roll out new cybersecurity capabilities related to ongoing assessments, mobile security, network access control and certificate management.
And the agency is also going to evaluate solutions for the next phase of the CDM program, which will focus on data protection.
Taken together, all of the moves, announced roughly over the past month, indicate that DHS is seeking to give more tools to agencies under CDM as they seek to enhance their cybersecurity. The need to speed up the deployment of cybersecurity capabilities likely became more acute after the late May release of the “Federal Cybersecurity Risk Determination Report and Action Plan,” in which the Office of Management and Budget and DHS determined that 71 of 96 agencies (74 percent) participating in a federal risk assessment process “have cybersecurity programs that are either at risk or high risk.” OMB and DHS also found that agencies are “not equipped to determine how threat actors seek to gain access to their information.”
DHS to Award New CDM DEFEND Contracts
CDM, launched in 2013, allows agencies to monitor their IT systems and then respond almost instantaneously to vulnerabilities. The program enables agencies to prioritize the risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial, off-the-shelf tools — hardware, software and services — that agencies can access via a central fund. DHS runs the CDM program in partnership with the General Services Administration.
The program consists of four phases of activity designed to provide network administrators with real-time (or near real-time) information about the state of their networks.
Each phase is designed to answer specific questions:
- Phase 1: What is on the network?
- Phase 2: Who is on the network?
- Phase 3: How is the network protected? What is happening on the network?
- Phase 4: What role exists for emerging tools and technologies?
Last August, DHS and GSA released a new task order, called DEFEND (Dynamic and Evolving Federal Enterprise Network Defense), under the Alliant governmentwide acquisition contract. DEFEND replaces blanket purchase agreements (BPAs) that expire in August 2018.
DHS will award contracts worth $1 billion this month under DEFEND, FedScoop reports. Kevin Cox, program manager for CDM at DHS, said in mid-June that the contracts would be awarded in “the next few weeks.”
The new task orders, supplied through the GSA Alliant contract vehicle, will provide enhanced increased cybersecurity services and give agencies more flexibility for network security solutions.
“We wanted to make sure that the new task orders we awarded had significant runway to be able to handle a whole lot of different actions in support of future phases,” Cox said, according to FedScoop. “We can now run a lot of different things in parallel. We can run cloud security efforts, mobile security efforts, we can work and support agencies in implementing network access control, certificate management, etc.”
With Phase 3 of CDM, DHS is exploring a “big number of capabilities that we want to eventually support the agencies in getting the capabilities in place,” Cox said, according to Federal News Radio. “With the DEFEND task order we are able to schedule the work over the six years of the task order. We will focus on four main things starting out for all the agencies.”
The four main areas include:
- Ongoing assessments, in which agencies can use automated tools deployed under Phase 1 of CDM to consistently review the cybersecurity posture of systems, FederalNews Radio reports
- Mobile security, to give agencies greater visibility into their mobility device management systems by sending data to their agencywide dashboard
- Network access control, to automatically determine if devices trying to connect to agency networks are properly configured (and quarantine them if they are not)
- Certificate management, to give agencies a singular view of their website certificates
CDM Dashboard Efforts to Get a Boost
Cox has said DHS approaches CDM with an “ABCD” model that captures and surfaces threat information. In the A layer, sensors in the network give admins visibility into what devices are on the network and how users are acting. The B layer takes that information and standardizes it. That information then feeds up to agency dashboards in the C layer. DHS is working with agencies to produce reports based on those dashboards that let agencies know what their vulnerabilities are and how they can be patched. The D layer is the federal dashboard, which DHS stood up earlier this year to get an enterprisewide view of federal cybersecurity.
Cox told Federal News Radio that DHS aimed to get all of the CFO Act agencies feeding into the federal dashboard this month. DHS has also been rolling out a shared service to give smaller, non-CFO Act agencies their own multitenant dashboard.
“With our shared service for the non-CFO Act agencies, we are looking to establish the information exchange for that dashboard around the July timeframe. Then we will start to bring in the visibility from the small and micro agencies as well,” Cox told Federal News Radio. “By mid-to-late summer we’ll start to get visibility across the various agency dashboards. It’s being summarized but it starts to give the federal leadership a good understanding of what the federal landscape looks like.”
DHS is working with smaller agencies that already have capabilities in place to feed data to the federal dashboard. And for smaller agencies that were not using the proper data analytics and collection tools, DHS is working to get them on board in small groups.
“Throughout the summer and into the fall, we will be bringing in about 48 agencies that have signed memorandums of agreement,” Cox said. “At the end of the day, we want to get out to all of the small and micro agencies so we will probably go in to fiscal 2019. We are looking at a population of 75 to 80.”
DHS Exploring Solutions for Protection Phase of CDM
Meanwhile, DHS is looking ahead to the next phase of CDM, the protection phase.
Terence Rountree, deputy director of the GSA’s Office of IT Security Services, said in mid-June that DHS will be evaluating CDM Phase 4 solutions for its approved products list starting the week of July 2.
“They are going to be accepting Phase 4 data protection under the emerging tools and technology area,” he said, speaking at GSA’s IT Acquisition Summit in Atlanta, according to FedScoop.