How Does CDM Work?

The CDM program is intended to be a comprehensive push to move all of the federal government to continuous monitoring as the basis for agencies’ cybersecurity strategies, and through that to adopt risk-based mitigation practices. Implemented the right way, it will provide critical insight into how agency security systems and processes are working.

Knowing when an agency CDM program is completed is relatively straightforward, according to the US Computer Emergency Readiness Team. A full implementation will be when an agency can use the CDM infrastructure to “automatically test as much of the NIST SP 800-53 control set as possible and efficiently.”

The DHS reduced this to a set of 15 capabilities for the CDM which is consistent with the NIST controls, but that have additional requirements such as being able to resist specific attack scenarios, identify the targets that are under attack, and apply a defined Concept of Operation for how continuous monitoring will be used to detect the weaknesses of those targets and prioritize their mitigation.

Together with the agency level dashboards that are also required under the CDM program, when agencies fully implement CDM it will provide them with a suite of capabilities and tools that the DHS says:

  • Enables network administrators to know the state of their respective networks at any given time.
  • Informs on the relative risks of threats.
  • Makes it possible for system personnel to identify and mitigate flaws at near-network speeds.

How well agencies can move forward with this is still a question, however. DHS is planning for a fairly smooth rollout, with Phase 1 of the program focusing on endpoint security and vulnerability scanning, starting in late 2013. Several task orders for that have already been issued.

However, the tools needed for that mostly use known technology. Phase 2 of the program, which will focus on access and identity management, is likely to need at some new technology and the requirements of that are still under review. The necessary modifications to the GSA’s CMaaS BPAs to accommodate them are expected by the end of FY 2015.

But some agencies already have a good baseline understanding of their needs for Phase 1, and would probably be able to already move to Phase 2. DHS, however, though it’s defined the CDM capabilities, hasn’t given any prioritization schedule for how those capabilities should be implemented, leaving it to the agencies themselves to decide on how and when to do that. They can either use their own funding to buy from the BPA according to their own specific needs, or use DHS funds by signing a Memorandum of Agreement.

In fact, according to Pescatore, things may have slowed even more from the deliberate pace DHS has taken with the CDM program. That could be due to a number of things, such as the budget sequestration limits and change within DHS itself. The DHS also seems to be focusing more on new information intelligence sharing initiatives than it is on CDM, he said.

That shouldn’t be the case, he said. The first phase of the program “is pretty basic and not that complicated,” he said. Also, there are continuing reports from agency acquisition people that the GSA contract is harder to use than it should be. Meanwhile, the security threats continue to get worse and more frequent.

“The bottom line is that the CDM capabilities are badly needed by government agencies, but (the program) is not moving quickly enough,” he said.