Lawmakers eye CDM legislation

Following a joint hearing of the House Homeland Security and Government Oversight committees on implementation of the Continuous Diagnostics and Mitigation program, Cybersecurity and Infrastructure Protection Subcommittee Chairman Rep. John Ratcliffe (R-Texas) expressed optimism that federal agencies could move past a series of implementation stumbles and indicated to reporters that a legislative solution might be in the offing.

Ratcliffe, along with Reps. Will Hurd (R-Texas) and Jim Langevin (D-R.I.), sent a letter to the House Appropriations Committee on March 15 requesting $237 million in funding to agencies and the Department of Homeland Security for implementation of CDM in fiscal year 2019. After the hearing concluded, Ratcliffe told reporters that despite numerous implementation delays within agencies, he still believes the program can be effective.

DHS is set to receive $102 million for the program under the 2018 omnibus spending bill -- $8.9 million more than the administration requested. The report language also calls for DHS officials to brief lawmakers on program acquisition strategy within 30 days of the bill's passage

"The basic elements of what CDM is capable of doing protecting federal networks, I heard nothing but uniform optimism that this is the appropriate solution to the problem that we’re facing now," Ratcliffe said.

However, when asked by FCW if the committee was looking to take further action, Ratcliffe responded that while Congress is using hearings for now to hold agencies' feet to the fire, "the next major step is legislation."

When pressed for further details, Ratcliffe would only say, "Stay tuned." The committee would be looking at "legislation that will help with some of the issues that you heard talked about today" later in the year, he added.

Those issues include a lack of visibility from agency CIOs about the full scope of IT programs, systems and users on their networks -- key goals of Phases 1 and 2 -- as well as a lack of qualified personnel within agencies to handle CDM implementation.

During the hearing, Max Everett, CIO for the Department of Energy, echoed concerns aired by the private sector in a Jan. 18 hearing with industry, saying he still cannot account for everything on DOE networks and that he lacks critical IT and non-IT staff to do so.

"I need people not only with the technical skills to use all these new tools, but I also need people who have customer service ability, I need people who can understand organizational management, people who understand business process," Everett said.

Kevin Cox, program manager for the CDM program at DHS, said shorter task order timelines and “other priorities” by agencies created a resource crunch that contributed to delays during Phases 1 and 2. He said the department has since adapted its approach, building in more flexibility and longer timelines in its task order language.

"We’ve worked to build in longer runways, we’ve worked to build in more flexibility, keeping things focused on a requirements basis and then working with agencies to look at different ways to meet those requirements," said Cox.

Other agencies reported more positive results. Office of Personnel Management CIO David Garcia said his agency was on track to complete Phase 2 of CDM implementation by summer 2018, that the out-of-pocket costs were minimal and that OPM is well positioned to fend off cyberattacks like the one that resulted in the personnel data breaches.

"I’m very confident we know who and what is on our networks," said Garcia. "I don’t think you can ever get to 100 percent.”

Some in industry and government have criticized the confusing budget and appropriations process surrounding the CDM program. Agencies receive funding for implementation through DHS, where the program is housed, for the first two years, but that money does not cover the full costs.

Lawmakers are looking for ways to tweak the process to get better results but are concerned about “throwing good money after bad,” as Ratcliffe put it. Langevin floated the possibility of implementing Phase 4, covering data protection, in parallel with Phase 3. Cox indicated the department was not logistically prepared for that until a review, which is scheduled to take place this summer.

“We have certain programmatic actions we need to take within our department to present the lifecycle cost estimates for the program, other important programmatic capabilities around showing that we’re ready and able to fund and execute Phase 4 work,” said Cox.

In an interview with reporters during a break, Hurd said there are eight agencies covered by the  Chief Financial Officers Act that have still not implemented CDM,  and a committee staffer added there are 44 non-CFO Act agencies experiencing delayed implementation. He put the onus on agencies for the delays, defending the role DHS has played. The budget process is “not perfect” but far from the main problem, Hurd said.

“Yes, if there’s some budget process problems, we’re trying to fix that, but ultimately the buck stops with the individuals responsible for this, and at the end of the day, it’s a software implementation issue,” said Hurd. “If we can’t do that, then we have much bigger problems on our hand.”