May 12 2021

Q&A: CDM’s Kevin Cox on Cybersecurity in Federal Networks

The Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation Program, led by Program Manager Kevin Cox, teaches federal agencies how to get a clearer view of their networks — and to spot intrusions early.

As the federal government moves more processes into the cloud and more workers into remote or home offices, the risk of a cyberattack grows. CISA’s CDM Program, which works to give agencies the capability to monitor their own networks and share the relevant information with CISA, is adapting to the times and encouraging agencies to enhance their CDM visibility. Kevin Cox, the CDM program manager, talked to FedTech about the value of CDM.

FEDTECH: Explain how the CDM process works and how far along agencies are within it.

Cox: We’re delivering a set of cybersecurity capabilities that help agencies develop better awareness of what their networked environments look like and defend against cyber adversaries. We’re helping agencies with asset management – what’s connected to the network, and with identity and access management — understanding who the users are on their network. We also want to help agencies identify those users who should not be on the network, and recognize when there’s anomalous activity occurring.

We’re also working on network security management, helping agencies understand what’s happening on their network and how the network is protected. And we’re also working on a pilot with one large agency and its high-value asset systems from a data protection system, making sure that the appropriate data protections are in place for the most critical data for that agency. We’re looking to expand that to additional pilots over the next year or two. 

The capability that we’re furthest along with is asset management. We’re working with agencies to fill remaining gaps and ensure quality in data reporting. The final piece is to ensure that each agency has a dashboard that can report the details of the object-level information, and then be able to summarize that to the federal dashboard as well.

FEDTECH: Is there a ballpark date for when a dashboard might be in place for each agency?

Cox: By the end of fiscal year 2021, we’re looking to have the dashboard in place at all CFO Act agencies — those are the big Cabinet-level agencies. We’re also building out a Dashboard as a Service as an option for the CFO Act agencies; for interested agencies that may carry us into FY 2022. We’re also working with the deployment of a new shared services platform for the non-CFO Act agencies. That will be delivered by the summer, but some additional agencies will come on in FY 2022 as well.

FEDTECH: How is the platform for the non-CFO Act agencies different from that for the CFO Act agencies?

Cox: Some of the non-CFO Act agencies are smaller agencies don’t have the broader set of resources that are helpful in terms of managing an overall cyber program. So rather than putting an additional burden on those agencies to manage their own dashboard, we developed a shared services platform. Version 1.0 was our first venture into the cloud. Each of the non-CFO Act agencies participants received the asset management and identity and access management capabilities in their environments and had their own dashboard in the multitenant shared service environment. Version 2.0 expands the flexibility that the agencies have in the tools that they use. The environment itself is more robust and is taking full advantage of all of the security capabilities available in the CDM program. It’s a higher performance, more scalable environment.

FEDTECH: CISA is the official shared services office for cybersecurity in the Quality Services Management Office (QSMO) program. Are the CDM shared services part of that? 

Cox: When CDM started in 2012, we were one of the first organizations to offer shared services across the federal government from a cyber perspective, for the non-CFO Act agencies. The cyber QSMO will point to the new CDM shared services platform as one of the offerings within its portfolio. We will align with the QSMO marketplace and offer that shared services platform through that marketplace. 

MORE FROM FEDTECH: How can agencies defend against insider threats? 

FEDTECH: How does CDM work with agencies to accommodate their technology needs and budgetary concerns?

Cox: From a technology and a solution standpoint, we want to work with each agency to understand what it already has in place, and work to meet it as much as possible within that space. Likewise, as the threat evolves, we need to be adept and nimble in terms of adjusting to that as well. When CDM started, it was about working with each agency’s CIO and CISO to define a common solution set across that entire agency. 

Kevin Cox, CDM Program Manager, Department of Homeland Security
As the threat evolves, we need to be adept and nimble in terms of adjusting to that as well.”

Kevin Cox CDM Program Manager, Department of Homeland Security

But as we went into the large federated agencies, many of the organizations within them had their own solutions in place. In some cases, the common solution approach worked well. In other cases, agencies had the perception that CDM meant “rip and replace.” We didn’t want to be that; we wanted to make sure that we were delivering to the needs of each agency. So when we competed our new acquisition approach — the DEFEND task orders — we built in flexibility and we built in much greater scalability to support the federated environments. We also built in the ability for the agencies to use the vehicle themselves.

It’s really helped us build a relationship with each of the agencies because now we’re meeting them where they are. And as long as they have a solution that meets their requirements, we can work with them. It does build in additional work on the integration side, but that’s on us to figure out. 

FEDTECH: Are any agencies to the point where they can actually use a dashboard to get information?

Cox: In the first quarter, we had four agencies with data feeding up to their new agency dashboard, so the agencies were able to see specific assets and specific vulnerabilities. Today, of the CFO Act agencies, 12 have the dashboard deployed; for a few we’re still validating the data feeds. We are finding the dashboards are scaling the way we need them to. 

Especially in the big federated agencies, we are getting much, much better performance in terms of the data reporting. Before, data sometimes took days to process through these federated agencies; now it takes minutes in some cases, hours overall. This really gets us to the promise of CDM, moving ourselves away from having agencies manually report on their environments to having automation in place to support awareness. 

DIVE DEEPER: Why federal officials are calling for greater network visibility following recent hacks. 

FEDTECH: How does CDM help prevent or mitigate something like the SolarWinds hack? 

Cox: First of all, we need each agency to be able to understand from a continuous monitoring standpoint what its environment looks like. That is so fundamental to everything else that occurs thereafter. For an agency to be successful in thwarting an adversary from getting in — or if an adversary does get in — the agency must have knowledge about what it needs to look for and where it needs to go to get the adversary out. By giving that basic visibility, the CDM tools have been extremely important for the agencies. 

We know the adversaries are trying to get into our networks on a second-by-second basis; millisecond-by-millisecond, really. We want to deliver sensors around privileged access management, so that when a privileged user does take an action on the network, we can understand what’s normal behavior versus anomalous behavior. And when something anomalous happens on the network, data is feeding into the security operation center, telling the security operations analyst to take a look into this particular incident or this particular activity, because there could be an incident there. And that’s one way we help from a response to a SolarWinds–type activity. But more important, it’s also what helps us get in front of those types of activities because it allows faster response and earlier detection. And we can get in front of an adversary much more quickly.

Kevin Cox, CDM Program Manager, Department of Homeland Security
We know the adversaries are trying to get into our networks on a second-by-second basis; millisecond-by-millisecond, really.”

Kevin Cox CDM Program Manager, Department of Homeland Security

FEDTECH: When it comes to knowing what’s on the network, how did that change when most government workers were sent home?

Cox: From a technical perspective, the agencies had deployed asset management, they had a good handle on everything on-premises, but they had a lot of additional users coming in through VPNs. So very early on, agencies were looking at making sure they had visibility of the users coming in remotely, that they could verify their identity, that they were legitimate users coming in on the network, and making sure that the continuous monitoring tools were picking all of that up. It really was a good use case for ensuring that agencies, when they did go into a remote posture, would be able to have the same visibility of remote users as they would have if those users were in the office. And there were a couple cases where we, both from a CDM perspective and a CISA perspective, worked with agencies to get them additional guidance as to how to get that visibility. 

RELATED: How your agency can protect data as users continue to telework.

FEDTECH: How does CDM work in a zero-trust environment?

Cox: A key part of zero trust is knowing who the user is and knowing what that user has access to. What we found in terms of deploying credential management and privileged access management to the agencies was that they needed a broader identity solution set. So we’ve expanded our offerings from an identity and access standpoint to include identity lifecycle management. We’ve worked with a number of agencies already to deliver that more fully. From an identity standpoint, there are areas where CDM can help agencies get the fundamental pieces in place to support zero trust architecture.

Illustration by John Lanuza