Research Report

What’s next for CDM?

If the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program is as broadly implemented across federal agencies as was originally intended, government agencies should have far more sophisticated cybersecurity defenses in place over the next couple of years. That is still not a guaranteed outcome, however.

The tools and services that will form the technology bedrock could most likely be in place, or at least getting to that point, by the end of 2016. There’s still a lot of work to be done after that, though, to integrate those tools with agency networks and systems and deliver the right kind of data.

The $6 billion CDM program was set up to be implemented over a five-year period starting in 2013, in three distinct phases:

  • Endpoint integrity: The scope of this is the local computing environment. It focuses on identifying and managing agency hardware and software assets, listing known vulnerabilities and malware, and managing device configuration.
  • Least privilege and infrastructure integrity: This is focused more on the people involved, managing their account and network privileges, and the configuration of network infrastructure devices and services.
  • Boundary protection and event management: This encompasses such functions as event detection and response, encryption, remote access management and access control. It’s aimed at ensuring security is built into networks, instead of being added on later as an after-thought.

The tool delivery aspect of the first phase is more or less complete. Department of Homeland Security (DHS) secretary Jeh Johnson says the sensors needed for that phase had reached nearly all of the civilian agencies who had signed on to the CDM program by the end of 2015.

The second phase, initially expected to be done in 2017, will get tools and services to 100 percent of agencies in 2016, he says, though bids covering the four functional areas of Phase 2 were only just due on March 30. In the meantime, the Defense Department is actually implementing its own CDM program.

Awards for the eleven task areas needed to support agencies in installing, operating and managing the tools, and getting data from them to CDM user dashboards, are also in progress. There are several already made. Phase 3 requirements are still being ironed out. It covers seven of the program’s overall 15 functional capabilities:

  • Plan for Events
  • Respond to Events
  • Generic Audit/Monitoring
  • Document Requirements, Policy, and so on
  • Quality Management
  • Risk Management
  • Boundary Protection (Network, Physical, Virtual)

In March 2016, the DHS issued initial draft requirements for boundary protection, listing Manage Network Filters and Boundary Controls (BOUND-F), Encryption (BOUND-E) and Physical Access Control Systems (BOUND-P) as the three boundary protections functions to be covered.

Under the CDM program goals, all three phases need to be implemented in order to provide the kind of pervasive security envisioned by the Obama Administration and Congress. Not only would each agency be covered, but agencies would be able to share information about incidents, and coordinate with each other over a standardized security infrastructure.

The first two phases aren’t really meant to improve agencies’ security posture by themselves, says Ken Ammon, a senior advisor with CA Technologies. They’re intended to improve agencies’ visibility into their networks and systems. It will also help them come up with plans that would improve security.

“However,” he says, “simply by virtue of what phases one and two bring (in terms of discovery of assets and vulnerabilities) that means agencies will have a significantly better security posture just by putting that better reporting in place.”