SBA and DHS used the unique configuration of resources at SBA as an opportunity to pilot security tools specific to cloud-based CDM. In 2018, SBA, DHS and the Office of Management and Budget conducted a 90-day experiment leveraging SBA’s implemented cybersecurity cloud tools in order to replicate a Trusted Internet Connection (TIC) access provider. “The results of our pilot were very successful,” Cavallo reports.
A second, broader pilot with DHS is underway to show that the same cloud cybersecurity tools can meet or exceed the goals and objectives of CDM.
Interior Takes an On-Premises Approach to CDM
The Interior Department is taking the more standard path laid out by DHS, which includes a two-year period in which DHS covers the cost of licenses for required CDM technologies.
“This enables agencies to work out-year costs into their regular capital planning and investment control cycles,” says Lawrence Ruffin, Interior’s CISO.
CDM requires collaboration, so together, Interior officials and the CDM Program Management Office defined the requirements for the appropriate selection, architecture, design, deployment, and operations and maintenance of each capability, Ruffin says.
For agencies running an enterprisewide on-premises network, this standard approach has proved both cost-effective and efficient — though not completely without challenges.
Those challenges included concerns about risk in the supply chain; whether all capabilities could scale to enterprisewide use; and issues with the perception of performance across geographically dispersed networks, Ruffin says. A team approach to the problems was the key to success, he adds.
Energy Manages Cybersecurity in a Federated Environment
The Energy Department, with 35 semi-independent labs spread across the country and at least 70 authorizing officials with the ability to accept risk, opted for staggered implementation.
The open environment essential for research creates a challenge when it comes to security goals, said Greg Sisson, DOE’s director of cybersecurity operations, speaking at FCW’s Big Issues: CDM Conference in November 2018 about securing a federated agency.
“It’s this constant conversation about accepting risk,” Sisson said. “Are the labs just accepting risk on behalf of their controlled systems and their controlled network, or are they accepting risk on behalf of partner labs, or bigger parts of the DOE enterprise?” he said.