Loading

Enhancing the Resilience of Federal Cybersecurity The Continuous Diagnostics and Mitigation (CDM) program at-a-glance

Recent reports regarding the current state of federal cyber security have been nothing short of grim. Cyberattacks and security lapses in federal computer systems rose 5% in 2017 as a third of 3,000 cybersecurity recommendations made by the U.S. Government Accountability Office remain unheeded, the watchdog agency reported earlier this month. In addition, earlier this year, OMB and DHS conducted the most thorough review of Federal cybersecurity to date by examining the capabilities of 96 civilian agencies across 76 metrics to determine agencies’ ability to identify, detect, respond, and if necessary, recover from cyber incidents. Unfortunately OMB found that 71 of 96 agencies (74%) participating in the process had cybersecurity programs that were either At Risk or High Risk.

In an effort to strengthen and standardize cyber security resilience across the federal government, 6 years ago congress established the CDM program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources. This article takes a look at where CDM stands 6 years later.

What is the CDM program?

Image sourced from https://www.us-cert.gov/cdm/faq

The Continuous Diagnostics and Mitigation (CDM) program is a government-wide program designed to protect federal data form criminal activity. As defined by the Department of homeland Security, “the CDM Program is a dynamic approach to fortify the cybersecurity of government networks and systems. It provides federal D/As with the capabilities and tools to conduct automated, ongoing assessments. The CDM Program is coordinated by the Department of Homeland Security (DHS) to support all civilian sector federal departments and agencies (.gov). Congress established it to provide adequate, risk-based, and cost-effective cybersecurity assessments and more efficiently allocate cybersecurity resources.

The CDM Program enables Federal D/As to expand their continuous diagnostic capabilities by increasing the capacity of their network sensors, automating the collection of data from sensors, and prioritizing risk alerts. CDM offers a catalog of commercial off-the-shelf (COTS) tools, with the ability to update the catalog for technical modernization as threats change.”

The program consists of four phases of activity designed to provide network administrators with real-time information about the state of their networks, to describe the relative risk of specific cybersecurity threats, and to make it possible for agencies to rapidly identify and mitigate vulnerabilities.

Image sourced from https://www.us-cert.gov/cdm/home

Where are we now?

Image sourced from https://www.us-cert.gov/sites/default/files/cdm_files/course_certs/FNR_CGB_TRNG_MAYWebinarSlides.PDF

As phase 1 and 2 are expected to wrap up by autumn 2018, agencies are going full steam ahead into phase 3. The goal of phase 3 is to create a master system record that will allow agencies to see what devices are connected to which systems and what incidents are associated with which devices and systems. Through this effort, Phase 3 will standardize incident reporting–thereby enabling consistent incident reporting across the Federal enterprise.

In June 2018, Kevin Cox, CDM program manager at the Department of Homeland Security, outlined the four main areas of focus for phase 3 to Federal News Radio:

  • Ongoing assessments, in which agencies can use automated tools deployed under Phase 1 of CDM to consistently review the cybersecurity posture of systems
  • Mobile security, to give agencies greater visibility into their mobility device management systems by sending data to their agencywide dashboard
  • Network access control, to automatically determine if devices trying to connect to agency networks are properly configured (and quarantine them if they are not)
  • Certificate management, to give agencies a singular view of their website certificates

As for next steps, phase 4, which will like start rolling out in FY2019, will focus on data protection, encryption, and, as needed, architectural system improvements.

Highlights from the CDM Tools Industry Day

On May 15, 2017 GSA and the Department of Homeland Security (DHS) held an industry day to discuss the new CDM SIN. Highlights from that day include:

  • 72% of RFI Respondents Agreed on Need for CDM Tools SIN
  • There Will Be a Streamlined Process for Vendors/Products on the Current CDM/CMaaS BPA
  • Originally 17 CDM/CMaaS BPA Holders | Approximately 170k Products, $650M in Sales
  • There Will Be a Separate APL Website, But it is Not Yet Finalized
  • GSA Clarified the Same Product Can be Included on Multiple SINs
  • Emerging Tools & Technology Subcategory Allows for the Addition of Products that Agencies Weren’t Necessarily Aware They Needed
  • Stressed Innovation is Not an Excuse for Bypassing Common Requirements (i.e. Scalability, Security, Response Time etc..)
  • The expected release date for CDM SIN 132-44
Image sourced from http://gsa.federalschedules.com/blog/new-gsa-it-schedule-70-sin-for-cdm/

The full slide presentations from the CDM Tools SIN Industry Day are available to download from GSA’s Interact website here.

Recent Developments

CDM DEFEND

Earlier this year DHS and GSA restructured their acquisition strategy to accelerate and enhance the procurement of CDM tools by:

  • Allowing for flexibility that can account for a dynamic cyber environment, varying implementation timelines, and agency specific needs by utilizing flexible contract types list cost plus award fee.
  • Ensuring delivered CDM capabilities are fully implemented at receiving Agencies by implementing longer period of performance
  • Ensuring clear and effective communications that accurately depict status to CDM stakeholders early and often
  • Achieve the most advantageous cost and price discounts
  • Provide access to qualified vendors that understand CDM

Dubbed the Dynamic and Evolving Federal Enterprise Network Defense (DEFEND), so far 2 major contracts have been awarded under this new system: a $621 million deal to Booz Allen Hamilton in February 2018 and a $407 million deal to CACI in May 2018.

The Advancing Cybersecurity Diagnostics and Mitigation Act

In July 2018, Rep. John Ratcliffe, R-Texas, introduced the Advancing Cybersecurity Diagnostics and Mitigation Act, which aims to codify the CDM program and make it a systemic requirement for DHS. According to Ratcliffe, "our goal with this new legislation is to help boost the long-term success of the CDM program by ensuring it keeps pace with the cutting-edge capabilities in the private sector. We’re also safeguarding agencies from getting stuck with technologies that will soon become outdated or unsupported by their vendors.”

The new legislation calls on the DHS secretary to regularly deploy new technologies and modify existing technologies to ensure the program stays up-to-date, providing its cybersecurity resources to all federal agencies and report systemic cyber risks based on data collected by the program. The bill also requires the DHS secretary to develop a comprehensive CDM strategy within 180 days of enactment and deliver a report to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Homeland Security within 90 days outlining the federal government’s cyber risk posture based on data collected by CDM.

Interested in learning more?

Then join us at the 13th Homeland Security Week taking place on October 22-24, 2018 at the College Park Marriott, Hyattsville, MD.

www.homelandsecurityweek.com

Credits:

Created with images by geralt - "internet cyber network" • Jomar - "Capitol Hill Washington D.C." • Matthew Guay - "Tablet on a newspaper" • geralt - "internet cyber network" • robinsonk26 - "conference public speaking presentation"

NextPrevious

Report Abuse

If you feel that this video content violates the Adobe Terms of Use, you may report this content by filling out this quick form.

To report a Copyright Violation, please follow Section 17 in the Terms of Use.