This year will be a significant one for the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, as more agencies adopt its tools and as DHS rolls out new ones to enhance government IT security.
A report from the Government Accountability Office, released in January, makes clear that agencies still have a way to go in deploying all of the CDM program’s tools, though progress has been made. Meanwhile, DHS is moving ahead with plans to launch a new cybersecurity risk score for agencies.
And guidance released last fall from the Office of Management and Budget gives agencies more flexibility to deploy non-CDM tools, but says they must provide a “sufficient justification” for doing so.
Agencies Still at the Early Stages of CDM Adoption
CDM, launched in 2013, allows agencies to monitor their IT systems and then respond almost instantaneously to vulnerabilities. The program enables agencies to prioritize risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial, off-the-shelf tools — hardware, software and services — that agencies can access via a central fund. DHS runs the CDM program in partnership with the General Services Administration.
The program consists of four phases of activity designed to provide network administrators with real-time (or near real-time) information about the state of their networks.
Each phase is designed to answer specific questions:
- Phase 1: What is on the network? Per the GAO, Phase 1 “involves deploying products to automate hardware and software asset management, configuration settings and common vulnerability management capabilities.”
- Phase 2: Who is on the network? Phase 2 “intends to address privilege management and infrastructure integrity by allowing agencies to monitor users on their networks and to detect whether users are engaging in unauthorized activity.”
- Phase 3: How is the network protected? What is happening on the network? Phase 3 “includes detection capabilities that are intended to assess agency network activity and identify any anomalies that may indicate a cybersecurity compromise.”
- Phase 4: What role exists for emerging tools and technologies? Phase 4 “intends to provide tools to (1) protect data at rest, in transit, and in use; (2) prevent loss of data; and (3) manage and mitigate data breaches.”
According to MeriTalk, the CDM program office is “doing away with the term ‘phases’ to focus on the holistic nature of the program, and to note that implementation will be ongoing, rather than sequential.” Phase 1 is now Asset Management; Phase 2 is Identity and Access Management; Phase 3 is Network Security Management and Phase 4 is Data Protection Management.
DHS offers Phase 1 and Phase 2 capabilities to the 23 CFO Act civilian agencies and to 52 non-CFO Act agencies as a shared service, MeriTalk notes.
According to the GAO report, as of June 2018, only eight agencies had fully implemented CDM Phase 1, and 15 were still in the “partial implementation” category. Just two agencies had implemented Phase 2, with 17 in the partial implementation category and four that had not implemented at all. Four agencies had partially implemented Phase 3 and 19 had not implemented it all. Agencies are likely further along now in their CDM adoption than they were in June.
The GAO report says that “most agencies told us that they wanted DHS to provide more training and guidance as it relates to their implementation of the capabilities made available by” the EINSTEIN intrusion detection system and CDM.
DHS plans to have all Phase 1 tools deployed at participating agencies by the end of the second quarter of fiscal year 2019, which would be the end of March, according to the GAO. DHS also plans to have all Phase 2 tools deployed at participating agencies by the end of September 2019. Full operating capability for Phases 1, 2 and 3 should be achieved by the end of fiscal year 2022.
Jeanette Manfra, assistant director for cybersecurity and communications at the Cybersecurity and Infrastructure Security Agency, told Federal News Network last fall that Phase 1 “was pretty near full completion of deployment.”
“What that does for us and agencies is provide a level of visibility into your attack surface, what’s in your network,” she said. “A lot of agencies didn’t have that fidelity before. Some did and had a fair amount of continuous monitoring tools deployed, but now you have standard tool sets that are being deployed at this level of visibility. And when you add a dashboard in to it, what we will focus on is vulnerability management first.” All of the CFO Act agencies now have their agency cybersecurity threat dashboards feeding into a federal dashboard, which gives DHS an enterprisewide view of real-time threats across government.
Over the course of 2019, Manfra told reporters last fall, DHS wants to implement faster threat detection processes using the dashboard. “As soon as we know there is a critical vulnerability, or something that is very likely to be exploited, we can then help agencies more efficiently direct their resources to those,” she said. “It’s not perfect. We continue to work on it. But that’s where we are.”
In late November, Kevin Cox, DHS’ CDM program manager, discussed with MeriTalk the DHS’ Agency-Wide Adaptive Risk Enumeration, which is expected to go live by the end of March. AWARE will allow agencies to prioritize cybersecurity vulnerability mitigation activities using threat data combined with agency dashboard data related to the existence of known vulnerabilities and the FIPS 199 information system impact level (high, moderate or low), as a White House report notes.
“What AWARE is, is similar to a credit score,” Cox told MeriTalk. “It’s looking at a couple of key variables, and then assigning a score to that agency to help understand how that agency is doing overall with that cyber hygiene process. By looking at the total number of endpoints against the score, we can come up with a per-endpoint average, so you can look agency by agency and see how each agency is doing compared to the other agencies, and we’ll be able to have a scale as to what agencies are doing well, and where they might need additional support.”
OMB Offers Updated Guidance on CDM
Last fall, OMB issued new guidance related to the Federal Information Security Modernization Act. The guidance notes that CDM currently provides agencies with “a cost-effective and efficient strategy for achieving government-wide information security continuous monitoring goals.”
Agencies may acquire continuous monitoring tools outside of CDM, the guidance states, but if they do so they are “required to provide sufficient justification” for why they did so, and provide a justification memorandum to DHS, OMB and the Federal CIO Cybersecurity Team.
“Agencies are encouraged to provide the CDM PMO feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles,” the guidance states. “When agencies exchange data with the Federal Dashboard, agencies retain sole responsibility to respond to risks identified through the CDM program and/or its agency’s dashboard.”
Manfra said last fall that “most agencies are very eager to take us up on CDM” and that she did not think the OMB guidance would “somehow shift agencies from not taking it. I actually see them more eager to take our services.”
The FISMA guidance, she said, makes clear that agencies need to take a risk management approach to cybersecurity and align their resources to meet those risks.
“And we’re working with agencies to understand, what’s that baseline, what do we mandate, and then what’s that above area where it’s if needed, that they can take advantage of it,” she said, adding that it was a long-term effort that would not be solved this year.