In search of buy-in for continuous monitoring

Persuading federal IT managers that continuous diagnostics and monitoring is a boon for their agencies is one of the most challenging elements of implementing the cybersecurity technology, according to IT chiefs at the forefront of spreading the CDM message across government.

While federal agencies are beginning to grasp what CDM can do for their organizations, risk-averse IT managers who treasure the status quo and are reluctant to shift from old practices still have to be won over, say IT leaders at GSA and the departments of Homeland Security and Energy.

In a discussion during a March 19 forum on managing information security risks with CDM, Robert Brese, chief information officer at DOE, said his department, which includes Los Alamos and Sandia national laboratories, presents a complex test for spreading the CDM gospel.

The national labs, with their complement of world-class technology researchers, can operate "like independent city-states" that require more than a standardized solution. CDM, set up through DHS and supported through blanket purchasing agreements offered through GSA, offers uniformity, but also flexibility, he said. "It's a huge challenge to change the culture. I'm frustrated at the support of the status quo."

Despite the reluctance, "CDM is making good progress. It's been accepted at the labs," said Brese. DOE, he said, has moved from the initial compliance mode to "press the 'I believe' button."

"We're not in the evangelist stage yet," he said. "We're still trying to figure out how to best put this to use and how to handle the data."

It is still early in the adoption cycle for the technology, which provides a steady flow of security data that enables agencies to identify and mitigate cyber threats quickly and efficiently.

In January, the GSA rolled out the first $60 million in task orders under the agency's $6 billion CDM contract. Under the program, which DHS and GSA jointly administer for other federal agencies, data will be fed into an agency-level dashboard that will alert cybersecurity managers to potential risks.

DHS has become an "evangelist" for CDM, according to Jeff Eisensmith, chief information security officer at the department, which is  charged with facilitating other agencies' installation and implementation of CDM technology. Before CDM, agencies were "getting picked off like zebras on the Serengeti" by cyber attackers, he said.

The standardized set of hardware, software and capabilities that GSA is rolling out, allows a more efficient, team-oriented approach to attacking problems, Eisensmith said.

Brese said the technology can free agencies from hide-bound, rote security practices to take a longer, enterprise-wide  view of their cybersecurity needs. Threats, he said, are not all the same, and counting them isn't enough. IT managers must be able to weigh them against the agency's mission, an ability that CDM provides.

"Not all vulnerabilities are equal. Say you have three bald tires. One is on your car, the other is tied onto a frayed rope on a tree-swing in your front yard your three-year-old child is using and the last is stored in the garage. The threats are there, but they aren't the same," Brese said.

CDM, said Eisensmith, will enable managers to differentiate among threats and prioritize them. That prioritization can be hammered into more business-oriented decisions aimed more accurately at the agency's mission. "Nine-tenths of my job is explaining the business side of security ... building business cases for the C-suite. It's a cost-avoidance discussion."

The dashboard GSA is in the process of developing will go a long way in helping agencies quantify CDM's impact more accurately,  Eisensmith said.

Jim Piche, civilian group manager at GSA's Federal Systems Integration and Management Center said his agency will get the most specific look at what kinds of information the dashboard will entail before the end of the year.

GSA issued a task order March 3 to Metrica Team Venture, for the agency- and federal-level CDM dashboards. Piche said the vendor has to report back to GSA by Thanksgiving with initial operational capabilities, which includes details on what the dashboard will show.