For all agencies, the destination is the same — strong, improved cybersecurity. But the path to that goal can differ, as many have found during their work to comply with the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.
DHS created CDM in 2012 to enhance cybersecurity in all federal civilian networks and systems. The program is based on a series of cybersecurity goals, but the structure of an individual agency plays a large role in how it deploys CDM tools and resources.
“We grouped agencies together based on some common mission areas and common tool deployments,” says Kevin Cox, the CDM program manager for DHS. “There’s flexibility in the new task orders to allow system integrators to work more specifically with each agency.”
Sometimes agencies follow the standard procedural road, as at the Interior Department, where DHS is covering the cost of licenses. Others make their own, innovative way, as the Small Business Administration has been doing by implementing CDM in the cloud. Still others, such as the Energy Department, use a strategy somewhere in between.
As the program evolves, that flexibility will allow for ever more customized approaches to cybersecurity.
SBA Enhances Cybersecurity in the Cloud
Agencies working to comply with CDM requirements go through four phases (which DHS has begun to call “capabilities”): identifying what is on the network; identifying who is on the network; describing what is happening on the network; and, finally, defining how data is protected.
The CDM program provides agencies with the resources to do this, including commercial hardware, software and services. Once the tools are in place, an agency will be better able to monitor its networks and respond nearly instantly to a vulnerability. DHS also monitors all agency data through a dashboard built with RSA Archer.
Agencies have been enthusiastic about the program. “We absolutely support the goals and the objectives of CDM,” says Guy Cavallo, SBA’s deputy CIO.
SBA, however, was moving away from on-premises to cloud-based resources as a general rule. Purchasing new servers, and the equipment to protect them — as required by CDM’s original implementation rules — felt like a step backward, so the agency suggested a different path.
“The technical specifications to implement CDM on-prem were not useful for us,” says Cavallo. “We were the first ones to implement CDM in the cloud.”
MORE FROM FEDTECH: See how CISA is establishing itself in the federal cybersecurity realm.
SBA, DHS Partner on CDM Pilot Project
SBA worked closely with DHS and kept them informed. The DHS-assigned implementer had to adjust with the agency, which now runs CDM in Microsoft Azure.
“We’re doing Infrastructure as a Service to replace the on-premises physical servers of a traditional CDM deployment,” Cavallo says.
SBA and DHS used the unique configuration of resources at SBA as an opportunity to pilot security tools specific to cloud-based CDM. In 2018, SBA, DHS and the Office of Management and Budget conducted a 90-day experiment leveraging SBA’s implemented cybersecurity cloud tools in order to replicate a Trusted Internet Connection (TIC) access provider. “The results of our pilot were very successful,” Cavallo reports.
A second, broader pilot with DHS is underway to show that the same cloud cybersecurity tools can meet or exceed the goals and objectives of CDM.
MORE FROM FEDTECH: Find out where to turn when the cybersecurity hiring well runs dry.
Interior Takes an On-Premises Approach to CDM
The Interior Department is taking the more standard path laid out by DHS, which includes a two-year period in which DHS covers the cost of licenses for required CDM technologies.
“This enables agencies to work out-year costs into their regular capital planning and investment control cycles,” says Lawrence Ruffin, Interior’s CISO.
CDM requires collaboration, so together, Interior officials and the CDM Program Management Office defined the requirements for the appropriate selection, architecture, design, deployment, and operations and maintenance of each capability, Ruffin says.
For agencies running an enterprisewide on-premises network, this standard approach has proved both cost-effective and efficient — though not completely without challenges.
Those challenges included concerns about risk in the supply chain; whether all capabilities could scale to enterprisewide use; and issues with the perception of performance across geographically dispersed networks, Ruffin says. A team approach to the problems was the key to success, he adds.
MORE FROM FEDTECH: Find out why creative federal cybersecurity workers will have more job security.
Energy Manages Cybersecurity in a Federated Environment
The Energy Department, with 35 semi-independent labs spread across the country and at least 70 authorizing officials with the ability to accept risk, opted for staggered implementation.
The open environment essential for research creates a challenge when it comes to security goals, said Greg Sisson, DOE’s director of cybersecurity operations, speaking at FCW’s Big Issues: CDM Conference in November 2018 about securing a federated agency.
“It’s this constant conversation about accepting risk,” Sisson said. “Are the labs just accepting risk on behalf of their controlled systems and their controlled network, or are they accepting risk on behalf of partner labs, or bigger parts of the DOE enterprise?” he said.
Rather than trying to roll out CDM tools in every lab, tech center or field site under DOE jurisdiction at once, the department started with its Washington, D.C., headquarters, which accounts for 8 percent of DOE endpoints.
With those endpoints approaching Phase 3 compliance, DOE is preparing to roll out to the remaining 92 percent, with the knowledge gained in the first round serving as a guide. For instance, the agency won’t be using one standard set of tools across its enterprise, Sisson said.
“We’re not going to rip and replace,” he said. “If you’ve got something in there right now that will meet the requirement, if you’re able to get the information through Splunk and into the DHS dashboard, good on you.”
MORE FROM FEDTECH: Find out how the government plans to reskill workers for cybersecurity roles.
One Goal, Many Possibilities for Federal Cybersecurity
Although few agencies have reached the final phase of CDM deployment, they’re already seeing the value. “It’s not us executing the CDM program,” Sisson said. “It’s us executing information systems continuous monitoring, and figuring out how we leverage the resources available through the CDM program to execute that within the department.”
SBA’s unique approach has caught the eye of other agencies, and SBA’s demonstrations are in demand.
“Show-and-tell for hundreds of federal employees and agencies has been really well received,” Cavallo says. “It normally takes us three-plus hours. We haven’t had anybody walk out early.”