Why CDM vendors need more flexibility
Prime contractors on the government's Continuous Diagnostics and Mitigation program need the ability to respond with agility to changing threats.
The first two phases of the Department of Homeland Security's Continuous Diagnostic and Mitigation program have helped government agencies deploy foundational cybersecurity solutions for real-time visibility and continuous network monitoring to identify vulnerabilities, reduce risk, ensure compliance and respond to threats.
DHS and the General Services Administration deserve tremendous credit for implementing a technical program of this size and complexity. However, the first two phases barely bring government to the starting line of the cybersecurity technology race. The private sector and U.S. adversaries are already well past that point.
The most important phase of the CDM program is yet to come, under which government tackles the data security problems of an increasingly mobile workforce and distributed cloud computing environment.
Government employees increasingly operate from remote locations, often connecting directly to cloud-based services, business applications, and even data storage, where traditional network perimeter monitoring is less effective and contributes little to the overall infrastructure visibility of organizations. As our colleagues Michael Chertoff and Jim Pflaging highlighted in a recent article, "identity is a fundamental component of an overall strong federal network security posture."
Agencies must prioritize solutions that monitor and protect users and data on both physical and virtual endpoints, as well as multi-cloud infrastructures where SaaS applications increasingly reside. CDM security solutions must work hand in hand with identity solutions to enforce broad visibility through a zero-trust, identity-aware strategy that protects data and governs its usage to ensure seamless access for a distributed workforce.
The original CDM blanket purchase agreement set up an approved vendor/product guide and called for continuous updates. Though the BPA began with the right intentions, the process has become too cumbersome for government, CDM prime contractors, and the security vendor community to maintain up-to-date technology solutions and be proactive in planning for future threats.
The vendor community needs to rapidly respond to changes in the threat and vulnerability landscape with appropriate security tools, but the acquisition process remains unable to maintain the same kind of pace. While the government has taken a step in the right direction by transitioning the CDM BPA under the Alliant 2 contract vehicle to expedite procurement, we believe it should go further by giving prime contractors the flexibility to architect their own solutions and choose technologies while still maintaining rigorous testing for appropriate security controls.
Today's cybersecurity ecosystem increasingly requires a platform approach. The security vendor community is prepared to respond, provided the disincentives for engaging in the government procurement process are minimized. We don't see vendor variance as an issue, so long as the data collected and reported to DHS is consistent and actionable. Vendor variance in some cases represents an opportunity for competition to determine the most effective technology product vendor.
Agency visibility into product effectiveness will expedite the procurement process between the government and contractors as they engage in the massive data security undertaking with CDM Phase IV.