Federal agencies are taking different routes to implement the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.
NASA is not only meeting cybersecurity requirements under the program, it also is using it to enhance security address priorities of its mission areas.
Willie Crenshaw, the program executive for the CDM office at NASA, said the “surge teams” created during the first phase of the program in 2016 are now working with the space agency determine and put in place new cybersecurity capabilities.
“That team worked together with the missions to explain CDM and work with the CDM integrator to explain what is going on within NASA and deal with the culture as we move forward with implementing,” Crenshaw said in an interview with Federal News Network in late July after a speech at the recent CDM conference sponsored by FCW.
NASA, like other agencies, has been making use of a relatively new CDM task order called DEFEND (Dynamic and Evolving Federal Enterprise Network Defense).
“We’ve mirrored a team for the DEFEND task order because it’s a little different than just implementing the tools. It’s more of us also processing the request for services within the agency,” Crenshaw said. “The agency has to talk to DHS about the requirements and we don’t want the integrator doing that. Our own team within NASA will work with our components, missions and programs to get their requirements and create the request for service.”
NASA Gains Greater Flexibility for Cybersecurity
Under CDM, agencies go through four phases, which DHS has started to call “capabilities”: identifying what is on the network, identifying who is on the network, describing what is happening on the network and defining how data is protected. The CDM program gives agencies the resources to achieve these goals, including commercial hardware, software and services. Once the tools are in place, an agency will be better able to monitor its networks and respond nearly instantly to a vulnerability.
Agencies install sensors in their networks and infrastructure that perform an ongoing, automated search for known cybersecurity flaws. Data from the sensors then feeds into an agency dashboard, which then creates customized reports that alert network managers of their most critical cyber risks, according to DHS.
As Federal News Network reports, DHS and the General Services Administration, which helps administer CDM, awarded Booz Allen Hamilton a $1 billion contract in July 2018 to support a group of agencies — Group D, which includes GSA, NASA, the Social Security Administration, the Treasury Department, the Department of Health and Human Services, and the Postal Service — under DEFEND.
“We grouped agencies together based on some common mission areas and common tool deployments,” Kevin Cox, the CDM program manager for DHS, recently told FedTech. “There’s flexibility in the new task orders to allow system integrators to work more specifically with each agency.”
That flexibility has allowed NASA to work with its mission components and address some legacy cybersecurity issues. “You have your set of requests for services coming from DHS for all the agencies in Group D and we want to make sure that priority gets met,” Crenshaw told Federal News Network. “But we have our own. What we will do is get DHS’ requirements and our own requirements and generate an RFS. The program is flexible like that and helps us do that. We like that model.”
NASA benefits from the visibility CDM provides of hardware and applications across its network, according to Crenshaw. That helps the agency determine its next set of cybersecurity priorities.
“We have standardized on patching. We are able to see more assets and then we can patch. We have seen an increase in the number of systems patched. We’ve also seen the time decreased to get those systems patched,” he told Federal News Network. “With some things at NASA, you can’t just through the patch on it. You need to test it out. We have the data and are able to build those metrics. So being able to see more assets, of course our patching levels have gone done and we’ve improved our scorecard.”
CDM also has enabled NASA to implement tools to beef up cybersecurity, including vulnerability management and scanning.
“By us going to an enterprise level, we now have the standards set and everyone can come to that get their reports to see what is going on instead of having a tool here and a tool there,” he told Federal News Network. “Now everyone has one central point and dashboard where they can see things and act on it quicker. The visibility tells the story. It’s easy to say something isn’t patched, but it’s also why is it not patched? We are able to tell the story better to the leadership as well.”