Q&A: CDM’s Kevin Cox on Cybersecurity in Federal Networks

FEDTECH: How is the platform for the non-CFO Act agencies different from that for the CFO Act agencies?

Cox: Some of the non-CFO Act agencies are smaller agencies don’t have the broader set of resources that are helpful in terms of managing an overall cyber program. So rather than putting an additional burden on those agencies to manage their own dashboard, we developed a shared services platform. Version 1.0 was our first venture into the cloud. Each of the non-CFO Act agencies participants received the asset management and identity and access management capabilities in their environments and had their own dashboard in the multitenant shared service environment. Version 2.0 expands the flexibility that the agencies have in the tools that they use. The environment itself is more robust and is taking full advantage of all of the security capabilities available in the CDM program. It’s a higher performance, more scalable environment.

FEDTECH: CISA is the official shared services office for cybersecurity in the Quality Services Management Office (QSMO) program. Are the CDM shared services part of that? 

Cox: When CDM started in 2012, we were one of the first organizations to offer shared services across the federal government from a cyber perspective, for the non-CFO Act agencies. The cyber QSMO will point to the new CDM shared services platform as one of the offerings within its portfolio. We will align with the QSMO marketplace and offer that shared services platform through that marketplace. 

MORE FROM FEDTECH: How can agencies defend against insider threats? 

FEDTECH: How does CDM work with agencies to accommodate their technology needs and budgetary concerns?

Cox: From a technology and a solution standpoint, we want to work with each agency to understand what it already has in place, and work to meet it as much as possible within that space. Likewise, as the threat evolves, we need to be adept and nimble in terms of adjusting to that as well. When CDM started, it was about working with each agency’s CIO and CISO to define a common solution set across that entire agency. 

But as we went into the large federated agencies, many of the organizations within them had their own solutions in place. In some cases, the common solution approach worked well. In other cases, agencies had the perception that CDM meant “rip and replace.” We didn’t want to be that; we wanted to make sure that we were delivering to the needs of each agency. So when we competed our new acquisition approach — the DEFEND task orders — we built in flexibility and we built in much greater scalability to support the federated environments. We also built in the ability for the agencies to use the vehicle themselves.

It’s really helped us build a relationship with each of the agencies because now we’re meeting them where they are. And as long as they have a solution that meets their requirements, we can work with them. It does build in additional work on the integration side, but that’s on us to figure out. 

FEDTECH: Are any agencies to the point where they can actually use a dashboard to get information?

Cox: In the first quarter, we had four agencies with data feeding up to their new agency dashboard, so the agencies were able to see specific assets and specific vulnerabilities. Today, of the CFO Act agencies, 12 have the dashboard deployed; for a few we’re still validating the data feeds. We are finding the dashboards are scaling the way we need them to. 

Especially in the big federated agencies, we are getting much, much better performance in terms of the data reporting. Before, data sometimes took days to process through these federated agencies; now it takes minutes in some cases, hours overall. This really gets us to the promise of CDM, moving ourselves away from having agencies manually report on their environments to having automation in place to support awareness. 

DIVE DEEPER: Why federal officials are calling for greater network visibility following recent hacks. 

FEDTECH: How does CDM help prevent or mitigate something like the SolarWinds hack? 

Cox: First of all, we need each agency to be able to understand from a continuous monitoring standpoint what its environment looks like. That is so fundamental to everything else that occurs thereafter. For an agency to be successful in thwarting an adversary from getting in — or if an adversary does get in — the agency must have knowledge about what it needs to look for and where it needs to go to get the adversary out. By giving that basic visibility, the CDM tools have been extremely important for the agencies. 

We know the adversaries are trying to get into our networks on a second-by-second basis; millisecond-by-millisecond, really. We want to deliver sensors around privileged access management, so that when a privileged user does take an action on the network, we can understand what’s normal behavior versus anomalous behavior. And when something anomalous happens on the network, data is feeding into the security operation center, telling the security operations analyst to take a look into this particular incident or this particular activity, because there could be an incident there. And that’s one way we help from a response to a SolarWinds–type activity. But more important, it’s also what helps us get in front of those types of activities because it allows faster response and earlier detection. And we can get in front of an adversary much more quickly.

FEDTECH: When it comes to knowing what’s on the network, how did that change when most government workers were sent home?

Cox: From a technical perspective, the agencies had deployed asset management, they had a good handle on everything on-premises, but they had a lot of additional users coming in through VPNs. So very early on, agencies were looking at making sure they had visibility of the users coming in remotely, that they could verify their identity, that they were legitimate users coming in on the network, and making sure that the continuous monitoring tools were picking all of that up. It really was a good use case for ensuring that agencies, when they did go into a remote posture, would be able to have the same visibility of remote users as they would have if those users were in the office. And there were a couple cases where we, both from a CDM perspective and a CISA perspective, worked with agencies to get them additional guidance as to how to get that visibility. 

RELATED: How your agency can protect data as users continue to telework.

FEDTECH: How does CDM work in a zero-trust environment?

Cox: A key part of zero trust is knowing who the user is and knowing what that user has access to. What we found in terms of deploying credential management and privileged access management to the agencies was that they needed a broader identity solution set. So we’ve expanded our offerings from an identity and access standpoint to include identity lifecycle management. We’ve worked with a number of agencies already to deliver that more fully. From an identity standpoint, there are areas where CDM can help agencies get the fundamental pieces in place to support zero trust architecture.