CDM-as-a-service great, but what next?
Small agencies feel the cyber talent squeeze more than big agencies, but they’re looking eagerly to CDM-as-a-service to help secure their networks.
Small federal agencies like the option of obtaining the Continuous Diagnostics and Mitigation cybersecurity program from the Department of Homeland Security as a shared service. But some are also wondering how they can sustain their cybersecurity work into the future.
In late 2015, DHS and the General Services Administration began the process of offering CDM tools for 40 of the federal government's smallest agencies via cloud shared services to cut down on or eliminate the on-premises duplication across those smaller entities.
The GSA acts as the procurement arm for CDM services, issuing an RFP to cover the smaller agencies in December.
CDM-as-a-service for small agencies, said Kirit Amin, CIO at the International Trade Commission, is a big help with a complex, yet critical area and is greatly preferable to being stuck with a cybersecurity mandate, a small budget and staff, and CDM contracts that would have to be renewed.
"If DHS told small agencies 'you will implement CDM,' it wouldn't happen," said Amin at an ITPA cybersecurity lunch panel in Arlington on March 3. "You can't just throw tech at an issue" and expect it to happen, said IT chief. CDM-as-a-service would go a long way in fulfilling the job of protecting electronic assets, especially for agencies with budgets as small as their single data center.
"GSA and DHS shared services are a good thing," said Esteve Mede, chief information security officer at the Federal Election Commission. The effectiveness of the program, he said, should be measured by how closely GSA and DHS will work with small agencies to help fit them into the larger federal cybersecurity strategy.
The move to provide CDM as a service, Amin told FCW after the panel, could only be a way station on a longer, possibly treacherous road for small agencies and cybersecurity.
While the CDM services can help cover cybersecurity needs, smaller agencies are feeling the technical personnel squeeze more acutely than larger agencies.
"It comes down to people" to watch and protect cyber systems in the federal government. The entire tech industry, Amin said, fights over qualified IT people and especially over excellent cybersecurity people. "How many cybersecurity experts are out there? It's a major challenge for small agencies," he said.