Senators look to codify CDM

A pair of senators have re-introduced a bill designed to prop up a government-wide cybersecurity program and expand its use among state and local governments.

The legislation, sponsored by Sens. John Cornyn (R-Texas) and Maggie Hassan (D-N.H.) would codify the Continuous Diagnostics and Mitigation program by placing it into the 2002 Homeland Security Act of 2002 – something original sponsor John Ratcliffe (R-Texas) and others have said is necessary to ensure agencies take implementation seriously.

"Cyber-attacks on government networks are increasing in frequency and sophistication, so updating the programs and tools federal agencies use to thwart these attempts is critical," said Cornyn in a statement."By codifying the CDM program and providing congressional oversight, we can ensure the federal government is better prepared for cyber threats."

The bill would ensure that program managers are persistently updating the program to incorporate emerging technologies and require a comprehensive strategy for CDM within six months of passage.

It would also direct the Secretary of Homeland Security make the program available to state and local governments in addition to federal agencies. A number of high profile cyber and ransomware attacks have hit cities this summer, reigniting debates about whether states and localities have the resources or expertise needed to fend off sophisticated state-sponsored or criminal hacking groups.

The program, which makes a suite of pre-approved tools available for agencies to monitor network traffic, has had a bumpy few years of implementation. An initial round of purchasing was plagued by complaints from agencies about inflexibility on the part of DHS and integrators who were a mismatch for some agency IT environments. While many of those concerns were addressed during the second round, many agencies continue to lag far behind the original timeline for implementing all four phases of CDM.

Eventually, officials at DHS plan for the program to do more than monitor traffic, with capabilities to granularly keep track of all devices and users connected to federal networks and implement better data protection protocols expected to be built in down the road. Later this year, DHS will debut a new complimentary algorithm, dubbed AWARE, that will provide a cybersecurity risk scoring for agencies on metrics like vulnerability management and patching and configuration, with an eventual goal a providing a risk score down to each individual agency system.

Right now, however, policymakers have determined that codifying the program into law will send a message to participating agencies that the program isn't going anywhere and that it still enjoys broad support in Congress.

"There is expense and resources required in terms of time and effort to implement the technologies provided through CDM," Suzanne Spaulding, a former DHS cybersecurity official, told FCW last year. "If you wonder whether the support for this program is going to be sustained, you can stall, you can debate about 'should we be making this expenditure?' So just simply sending the signal that this program has support from Congress and isn't going away is a really important step in getting departments and agencies to undertake the burden, frankly, of implementing CDM."

The bill was originally developed last year by Ratcliffe while on the House Committee on Homeland Security. The legislation passed the House and Senate leaders appeared receptive to bringing it to the floor, but a tight legislative calendar, budget negotiations and the start of a government shutdown scuttled hopes of passing it through both chambers in time.

The bill now has a Senate sponsor but may need a new House sponsor, as Ratcliffe was recently nominated by President Donald Trump to serve as Director of National Intelligence.