In search of buy-in for continuous monitoring

keyhole digital

Persuading federal IT managers that continuous diagnostics and monitoring is a boon for their agencies is one of the most challenging elements of implementing the cybersecurity technology, according to IT chiefs at the forefront of spreading the CDM message across government.

While federal agencies are beginning to grasp what CDM can do for their organizations, risk-averse IT managers who treasure the status quo and are reluctant to shift from old practices still have to be won over, say IT leaders at GSA and the departments of Homeland Security and Energy.

In a discussion during a March 19 forum on managing information security risks with CDM, Robert Brese, chief information officer at DOE, said his department, which includes Los Alamos and Sandia national laboratories, presents a complex test for spreading the CDM gospel.

The national labs, with their complement of world-class technology researchers, can operate "like independent city-states" that require more than a standardized solution. CDM, set up through DHS and supported through blanket purchasing agreements offered through GSA, offers uniformity, but also flexibility, he said. "It's a huge challenge to change the culture. I'm frustrated at the support of the status quo."

Despite the reluctance, "CDM is making good progress. It's been accepted at the labs," said Brese. DOE, he said, has moved from the initial compliance mode to "press the 'I believe' button."

"We're not in the evangelist stage yet," he said. "We're still trying to figure out how to best put this to use and how to handle the data."

It is still early in the adoption cycle for the technology, which provides a steady flow of security data that enables agencies to identify and mitigate cyber threats quickly and efficiently.

In January, the GSA rolled out the first $60 million in task orders under the agency's $6 billion CDM contract. Under the program, which DHS and GSA jointly administer for other federal agencies, data will be fed into an agency-level dashboard that will alert cybersecurity managers to potential risks.

DHS has become an "evangelist" for CDM, according to Jeff Eisensmith, chief information security officer at the department, which is  charged with facilitating other agencies' installation and implementation of CDM technology. Before CDM, agencies were "getting picked off like zebras on the Serengeti" by cyber attackers, he said.

The standardized set of hardware, software and capabilities that GSA is rolling out, allows a more efficient, team-oriented approach to attacking problems, Eisensmith said.

Brese said the technology can free agencies from hide-bound, rote security practices to take a longer, enterprise-wide  view of their cybersecurity needs. Threats, he said, are not all the same, and counting them isn't enough. IT managers must be able to weigh them against the agency's mission, an ability that CDM provides.

"Not all vulnerabilities are equal. Say you have three bald tires. One is on your car, the other is tied onto a frayed rope on a tree-swing in your front yard your three-year-old child is using and the last is stored in the garage. The threats are there, but they aren't the same," Brese said.

CDM, said Eisensmith, will enable managers to differentiate among threats and prioritize them. That prioritization can be hammered into more business-oriented decisions aimed more accurately at the agency's mission. "Nine-tenths of my job is explaining the business side of security ... building business cases for the C-suite. It's a cost-avoidance discussion."

The dashboard GSA is in the process of developing will go a long way in helping agencies quantify CDM's impact more accurately,  Eisensmith said.

Jim Piche, civilian group manager at GSA's Federal Systems Integration and Management Center said his agency will get the most specific look at what kinds of information the dashboard will entail before the end of the year.

GSA issued a task order March 3 to Metrica Team Venture, for the agency- and federal-level CDM dashboards. Piche said the vendor has to report back to GSA by Thanksgiving with initial operational capabilities, which includes details on what the dashboard will show.

About the Author

Mark Rockwell is a staff writer covering acquisition, procurement and homeland security. Contact him at or follow him on Twitter at @MRockwell4.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above