In search of buy-in for continuous monitoring

keyhole digital

Persuading federal IT managers that continuous diagnostics and monitoring is a boon for their agencies is one of the most challenging elements of implementing the cybersecurity technology, according to IT chiefs at the forefront of spreading the CDM message across government.

While federal agencies are beginning to grasp what CDM can do for their organizations, risk-averse IT managers who treasure the status quo and are reluctant to shift from old practices still have to be won over, say IT leaders at GSA and the departments of Homeland Security and Energy.

In a discussion during a March 19 forum on managing information security risks with CDM, Robert Brese, chief information officer at DOE, said his department, which includes Los Alamos and Sandia national laboratories, presents a complex test for spreading the CDM gospel.

The national labs, with their complement of world-class technology researchers, can operate "like independent city-states" that require more than a standardized solution. CDM, set up through DHS and supported through blanket purchasing agreements offered through GSA, offers uniformity, but also flexibility, he said. "It's a huge challenge to change the culture. I'm frustrated at the support of the status quo."

Despite the reluctance, "CDM is making good progress. It's been accepted at the labs," said Brese. DOE, he said, has moved from the initial compliance mode to "press the 'I believe' button."

"We're not in the evangelist stage yet," he said. "We're still trying to figure out how to best put this to use and how to handle the data."

It is still early in the adoption cycle for the technology, which provides a steady flow of security data that enables agencies to identify and mitigate cyber threats quickly and efficiently.

In January, the GSA rolled out the first $60 million in task orders under the agency's $6 billion CDM contract. Under the program, which DHS and GSA jointly administer for other federal agencies, data will be fed into an agency-level dashboard that will alert cybersecurity managers to potential risks.

DHS has become an "evangelist" for CDM, according to Jeff Eisensmith, chief information security officer at the department, which is  charged with facilitating other agencies' installation and implementation of CDM technology. Before CDM, agencies were "getting picked off like zebras on the Serengeti" by cyber attackers, he said.

The standardized set of hardware, software and capabilities that GSA is rolling out, allows a more efficient, team-oriented approach to attacking problems, Eisensmith said.

Brese said the technology can free agencies from hide-bound, rote security practices to take a longer, enterprise-wide  view of their cybersecurity needs. Threats, he said, are not all the same, and counting them isn't enough. IT managers must be able to weigh them against the agency's mission, an ability that CDM provides.

"Not all vulnerabilities are equal. Say you have three bald tires. One is on your car, the other is tied onto a frayed rope on a tree-swing in your front yard your three-year-old child is using and the last is stored in the garage. The threats are there, but they aren't the same," Brese said.

CDM, said Eisensmith, will enable managers to differentiate among threats and prioritize them. That prioritization can be hammered into more business-oriented decisions aimed more accurately at the agency's mission. "Nine-tenths of my job is explaining the business side of security ... building business cases for the C-suite. It's a cost-avoidance discussion."

The dashboard GSA is in the process of developing will go a long way in helping agencies quantify CDM's impact more accurately,  Eisensmith said.

Jim Piche, civilian group manager at GSA's Federal Systems Integration and Management Center said his agency will get the most specific look at what kinds of information the dashboard will entail before the end of the year.

GSA issued a task order March 3 to Metrica Team Venture, for the agency- and federal-level CDM dashboards. Piche said the vendor has to report back to GSA by Thanksgiving with initial operational capabilities, which includes details on what the dashboard will show.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group