Beyond 'new shiny toys': CDM grows up

The Continuous Diagnostics and Mitigation program, led by the Department of Homeland Security, is entering the third of four planned phases. By this time, agencies should know what and who is on their networks and be shifting their focus to understanding what is actually happening there.

FCW recently gathered a group of cybersecurity leaders to discuss their progress on CDM, the lessons learned in implementing Phases 1 and 2, and the expectations for the new Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) set of task orders.

Challenges remain in terms of budgets and implementation. But now that the program is evolving from compliance to mitigation, many IT experts are cautiously optimistic that the government might finally be transforming its approach to cybersecurity.

The discussion was on the record but not for individual attribution (see below for full list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.

Holding vendors accountable

Participants said implementing CDM has been a challenge, and several expressed frustration with the standardized options they were given under Phases 1 and 2. They stressed the need for agencies to have more input into choosing vendors and products.

A DHS representative acknowledged those concerns, saying, “We have worked closely with [the General Services Administration] on the new task order to make sure that agencies had a seat at the table in terms of who is selected as that new integrator preceding DEFEND. We at DHS and GSA don’t want to be selecting these integrator solutions. We want the agencies to be selecting them. At the end of the day, we need to make sure we’re in alignment with what headquarters wants to do, but we also want to make sure that we’re accurately reflecting the requirements down at the mission level.”

Another participant added: “We set up DEFEND to be cost-plus. So we’ve built in the ability for the agency to be able to say, ‘Integrator, you didn’t come through on this, and so on this factor, we’re going to mark you down.’ We’ve had that in place for our dashboard contract, and that does make a difference because the integrator wants to get that whole award value or that plus piece. And when they don’t, their leaders are asking, ‘What wasn’t working? We’ve got to get that fixed.’”

Many participants raised concerns about being judged by the quality of the data they are submitting to the CDM dashboard, given vendors’ lack of consistency and the government’s shifting targets. “It was very late in the game when we learned that a lot of the requirements had actually changed,” one executive said. “When we talk about the data quality, is 80 percent accurate enough? Is 90 percent accurate enough? It all depends on the environment.”

The DHS representatives in the group said they've heard the data quality concerns across the board from agencies. “Beyond the 80 percent and 90 percent that are in our key performance parameters and operational requirements documents, we want it to be 100 percent to the extent that we can,” one said. “So if you have a center reporting on the status of patching an endpoint, that should be reflected accurately at the integration layer, and it should be reflected accurately on your agency dashboard, on up to the federal dashboard.”

However, DHS and the Office of Management and Budget are treating fiscal 2019 as a transition period because they know some substantial data cleanup is still needed. “When you start sending your data up to the federal dashboard, you’re not going to be immediately held to account on it,” one participant said. “Plus, in the June or July timeframe, we have the [Agency-Wide Adaptive Risk Enumeration] scoring algorithm coming online to help with cyber hygiene measurements. So that gives us about a year and a quarter, starting in July, to really clean everything up and make it as useful as possible.”

Another participant, however, expressed concern that the data cleanup would “get lost in the shuffle. During Phase 1, there wasn’t consistent information sharing, and when you have different integrators, that’s going to be natural and that’s obviously where DHS has to step in. If we’re trying to have apples-to-apples comparisons among agencies and everybody’s doing it differently, we’re just not going to be there.”

Another countered that data quality would not get overlooked, because one of the foundational requirements of DEFEND is that integrators must “make sure these data quality concerns are being addressed from the start of the contract.”

‘Working toward a common, shared purpose’

The group also discussed cybersecurity priorities and the often overwhelming amount of work that remains. “We’re not going to be able to get it all done in one year or even three years,” a participant said. “It’s going to take us likely beyond the six years that we have under DEFEND. But we expect in that six years to make great strides to really tighten up cybersecurity across the federal enterprise.”

Fortunately, the DEFEND task order incorporates the ability for integrators to add resources as needed. “They can scale up mobile teams, cloud teams, boundary protection teams,” one executive said. “So they’ll have additional resources they can bring to the agencies, maybe more so than the original integrators had at the beginning. There are going to be logjams and bottlenecks at the agencies, but if we can say we’re bringing in a team of five people to help you with it, you won’t have to pull your engineers off another priority project.”

One executive argued that “agencies have a responsibility to try to streamline this internally as much as they can. Obviously, we need leadership support all the way to the top. We also need to have close interaction and partnership with our operations folks because security and operations — from the very beginning of time when security became a real discipline — have never really worked closely together. CDM is kind of the bridge that we need to help do that.”

The group agreed it’s a delicate balance. With Phase 3, one said, “you’re bringing the network back in. The network integration with security is something that the agency leadership cares about and our CFO conversations are very much about. But I have to make sure the agency continues to perform its mission. You can’t take my network down. I understand security is important, but I need sane security for the things that need to be done.”

Another participant said that “the problem is tougher in some ways but also easier in some ways because the goal in Phase 3 and Phase 4 is protecting the network and the data. It is no longer just reporting to a dashboard. The dashboard gives awareness of where you need to focus, but it’s about protecting your crown jewels, which are the data and the networks that transport that data. And I actually think that’s going to make our lives a bit easier with that dialogue with the network folks because now we’re working toward a common, shared purpose.”

Budgets and leadership buy-in

Despite the frustrations and concerns, many participants said they believe CDM holds tremendous promise. “I’m a firm believer in what CDM has to offer,” one executive said. “It’s a real, rare opportunity we’ve never had to actually get out of this world where everything is paper based and transform the government into that ongoing authorization and that ongoing assessment.”

One question, though, is clear: How do IT leaders discuss it in a way that CFOs can understand?

A participant referenced the earlier conversation about security and operations and said, “We’ve got to get these tools tied in at the operational level. We’ve already seen that once the tools are starting to be used for operational purposes, for understanding inventory and understanding what software we have installed, it starts to transform the conversation within the agency.”

“Originally I was moving from compliance to cyber hygiene,” another said. “Now we’re looking to get holistic capabilities across the agency to be able to respond to a threat. And that’s going to take more than just this compliant piece or this single module. It’s a more complex understanding of what the threat is and what the needs are.”

Another agreed, saying: “In the early days of CDM, there was great branding around automation. We’re going to move away from three-ring binders. We’re going to get into automation. Now that CDM largely is moving from reporting into the M in CDM — the mitigation part — I think we need to get back to that. It’s about automating threat detection and actually taking action through automation. I think that’s going to be the key to taking CDM to the next level to actually focus on threats.”

“That is true,” a third participant said, “but in the federal world, our executives speak a different language. They look at their metrics. They look at their scores and the things that Congress is going to ask some questions about” because they’re tied to the executives’ performance plans.

The CDM dashboard should reflect those metrics, an executive said, because “it will communicate value immediately to our leadership and then we’ll get the support that we’re looking for.”

That buy-in at the highest levels is essential because DHS will no longer be financially subsidizing CDM at the agency level.

“The CFOs need to be at the table as soon as we’re making that initial purchase because they’re two years ahead for the budget process,” one participant said.

“I know that each agency’s different,” another executive said, “but I would say to help yourselves out, you want to look at your reprogramming requests now because it’s really between you and the Hill. And it’s really your congressional communications that will help push you over with the funding.”

Another acknowledged that the costs involved are significant, but raised a deeper concern about that investment: “I don’t want new shiny toys. I don’t want stuff that might last six months. I want stuff that integrates together so that the initial increase in my cost should be offset in X amount of time.”

One of the DHS representatives acknowledged that “a lot of agencies already have a lot of the tools, so we don’t need to buy tools. It’s more like, ‘Let’s map to the requirements, and let’s get your tools working together so that they inform the dashboard, so that your cybersecurity operations center can actually take action with that data.’ That’s where the DEFEND program is going.”

Another participant said that, “in a lot of cases as CDM tools are maturing over the years, it requires less touch labor to operate them or to make use of the data out of them, so you’re decreasing your labor cost. Maybe the license is a little bit more expensive, but you don’t need a lot of your workforce sitting around anymore. You eliminate human risk. The DEFEND acquisition allows for that evolution of technology.”