Comment

Why CDM vendors need more flexibility

security (ranjith ravindran/Shutterstock.com) 

The first two phases of the Department of Homeland Security's Continuous Diagnostic and Mitigation program have helped government agencies deploy foundational cybersecurity solutions for real-time visibility and continuous network monitoring to identify vulnerabilities, reduce risk, ensure compliance and respond to threats.

DHS and the General Services Administration deserve tremendous credit for implementing a technical program of this size and complexity. However, the first two phases barely bring government to the starting line of the cybersecurity technology race. The private sector and U.S. adversaries are already well past that point.

The most important phase of the CDM program is yet to come, under which government tackles the data security problems of an increasingly mobile workforce and distributed cloud computing environment.

Government employees increasingly operate from remote locations, often connecting directly to cloud-based services, business applications, and even data storage, where traditional network perimeter monitoring is less effective and contributes little to the overall infrastructure visibility of organizations. As our colleagues Michael Chertoff and Jim Pflaging highlighted in a recent article, "identity is a fundamental component of an overall strong federal network security posture."

Agencies must prioritize solutions that monitor and protect users and data on both physical and virtual endpoints, as well as multi-cloud infrastructures where SaaS applications increasingly reside. CDM security solutions must work hand in hand with identity solutions to enforce broad visibility through a zero-trust, identity-aware strategy that protects data and governs its usage to ensure seamless access for a distributed workforce.

The original CDM blanket purchase agreement set up an approved vendor/product guide and called for continuous updates. Though the BPA began with the right intentions, the process has become too cumbersome for government, CDM prime contractors, and the security vendor community to maintain up-to-date technology solutions and be proactive in planning for future threats.

The vendor community needs to rapidly respond to changes in the threat and vulnerability landscape with appropriate security tools, but the acquisition process remains unable to maintain the same kind of pace. While the government has taken a step in the right direction by transitioning the CDM BPA under the Alliant 2 contract vehicle to expedite procurement, we believe it should go further by giving prime contractors the flexibility to architect their own solutions and choose technologies while still maintaining rigorous testing for appropriate security controls.

Today's cybersecurity ecosystem increasingly requires a platform approach. The security vendor community is prepared to respond, provided the disincentives for engaging in the government procurement process are minimized. We don't see vendor variance as an issue, so long as the data collected and reported to DHS is consistent and actionable. Vendor variance in some cases represents an opportunity for competition to determine the most effective technology product vendor.

Agency visibility into product effectiveness will expedite the procurement process between the government and contractors as they engage in the massive data security undertaking with CDM Phase IV.

About the Authors

Mark Weatherford, formerly deputy undersecretary for cybersecurity at DHS, is SVP & chief cybersecurity strategist at vArmour and a senior adviser to the Chertoff Group.

Paul Doherty is an Associate at The Chertoff Group where he advises venture-backed cybersecurity startups and global, public technology companies on market trends, policy, and growth strategies.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.