CISA touts CDM, CyberStat as key cyber compliance tools

The Department of Homeland Security previewed new plans to patrol federal networks for cybersecurity compliance in relpy comments to an oversight report released Feb. 4.

The Government Accountability Office report reviewed the department's use of Binding Operational Directives (BOD) to improve baseline federal civilian cybersecurity practices. While the overall findings were largely favorable to DHS and its component, the Cybersecurity and Infrastructure Security Agency, it did find gaps in the department's ability to validate agencies who largely self-report their compliance.

In an attached reply, a DHS official concurred with those finding and outlined plans to develop a risk-based strategy and two existing programs, Continuous Diagnostics and Mitigation and CyberStat, to better validate whether agencies are complying with directives.

The Continuous Diagnostics and Mitigation program is designed to standardize the way federal agencies monitor their networks and data for cyber threats. Using pre-approved tools, agencies report information about devices and users connected to their networks up to a master dashboard, which DHS then uses to spot anomalous or suspicious activity. The department said this that while type of automated reporting would be their preferred method for validating most compliance metrics, it's not always possible and the directives themselves can serve effective vehicles for prioritizing agency actions, timeframes and expectations.

"[CISA] is confident that full deployment and integration of Continuous Diagnostics and Mitigation program capabilities will significantly increase our ability to validate results similar to our current use of cyber hygiene scans," wrote Jim Crumpacker, Director of the department's GAO-IG liaison office.

The department is also working with the Office of Management and Budget to refocus the structure of their CyberStat reviews to ensure they include checking up on agency claims. While still technically under the purview of OMB, CISA has taken on much of the underlying technical responsibilities associated with CyberStat in recent years, and the agency told auditors that they are best positioned to revamp the program to smoothly incorporate new compliance metrics.

"[CISA] intends for this type of management review to not only validate agency-submitted results, but to also help identify support opportunities and specific actions to address agency problems, progress, challenges and restraints related to BOD implementation," wrote Crumpacker.

Since 2015, DHS has had the legal authority to issue Binding Operational Directives addressing systemic vulnerabilities in the information systems and websites of civilian federal agencies. The agency has issued 11 such directives over the past five years designed to address issues like timely patching of critical software vulnerabilities, email and web security and the presence of Russian antivirus software on federal systems.

The use of directives has increased in the past several years, particularly as CISA has evolved to become a key cog in the federal government's overall cybersecurity machinery. Officials have described an initial atmosphere of unease about how to wield the new powers and how much trust to place in what agencies reported back.

"One [principle] we tried to stick with religiously was the ability to independently measure compliance. That was very important to us," said Jeanette Manfra, then-Assistant Director for Cybersecurity and Communications in an interview with FCW last year. "Over the years, we've seen self-reporting that, when you go in and do an assessment, there's a lot of things that makes it difficult to rely on."

Uneven implementation timelines across the federal government could complicate plans to use CDM as a validation tool in the short term. The program is broken up into four phases, and though it has been around since 2012, task order work did not begin until 2015 and CISA official Ross Foard said late last year at a conference hosted by SailPoint that some agencies had yet to complete responsibilities for CDM phases 1 and 2.