Cyber briefing on continuous diagnostics and mitigation (CDM) hosted by immixGroup
Among federal executive agencies, continuous diagnostics and mitigation (CDM) is not only essential to ensuring cybersecurity, but also to ease the burden of complying with the Federal Information Security Management Act (FISMA) and to establish appropriate budgeting levels for information security.
These and other perspectives on cybersecurity in the federal market were unveiled at a Federal CDM Briefing hosted by immixGroup on April 8. The event was moderated by Scott Lewis, president and CEO of PS Partnerships, and featured key spokespeople from the DHS, The Department of Commerce, and the U.S. Secret Service.
In August 2013, the General Services Administration awarded blanket purchase agreements (BPA) for continuous monitoring as a service (CMaaS) on behalf of the DHS’s continuous diagnostics and mitigation (CDM) program. The BPAs were awarded to 17 system integrators to provide cybersecurity software tools and solutions under a potential five-year contract worth up to $6 billion. The BPA is one aspect of the CDM program, with the other two being endpoint integrity and a dashboard for executive branch agencies.
Dashboard automates security and reporting
Speaking at the immixGroup event, Mark Kneidinger, senior advisor, Cybersecurity & Communications in the DHS focused on the CDM dashboard. Awarded March 3, the agency-level dashboard is connected to tools and sensors, to identify areas in need of mitigation. It also is connected to a federal dashboard for automating FISMA reporting.
The dashboard is particularly significant for cybersecurity, Kneidinger said. In the past, tools and sensors were available to fortify infrastructure, but there was no information on incident types or how to mitigate them. The dashboard allows agencies to set up metrics and risk tolerances.
It also affords throughput to the federal dashboard to automate the FISMA reporting process, he said. A common anecdote among federal security professionals, according to Kneidinger, is that if you were to stack all the 3-ring binders required for FISMA reporting “it would be almost as tall as the Washington Monument.” Automating that process is a significant time and cost savings for agencies, he noted.
The administrative and budgeting component of the dashboard also is significant, according to Rod Turk, chief information security officer (CISO) and director in the Department of Commerce’s Office of Cyber Security. Turk said that the dashboard provides an easy way to articulate vulnerabilities and push that information up to executives in a way they can understand. Eduardo Cabrera, assistant to the special agent in charge, U.S. Secret Service supported the use of a dashboard in investigating cyber crime, noting, “An informed network is a great start to defend against cyber incursions.”
Overall, the initiative will give government considerable insight into best practices for cybersecurity, Kneidinger said. There’s a “mixed bag” of monitoring solutions in use across government agencies now he explained, and the CDM BPA is leveraging proven COTS packages in both monitoring and reporting through the dashboard.
The dashboard is important for best practices, Kneidinger stressed. With 124 executive agencies of all sizes, it’s rare for them all to get together and share information. The dashboard helps improve communication and offers an opportunity to share and discuss lessons learned across all agencies.
Collaboration to find solutions
The panelists spoke at length about Federal Network Resilience, which calls for collaborating with components of the federal enterprise to identify solutions, and monitoring the effectiveness of implemented solutions.
Commerce’s Turk explained that in FY2012 the agency bought CDM tool licenses and established infrastructure. Commerce now has enough licenses for all its agency endpoints, Turk said, and by the end of the year expects to have all endpoints covered with clients for vulnerability assessments and asset management.
Commerce also has established the “Enterprise Security Oversight Center,” to consolidate information for early warning and development of threat knowledge. It also serves as a users group to share information on monitoring tools and to research tools employed in other agencies.
Asked by moderator Lewis whether the work in progress with CDM is creating “compliant networks” or truly “secure networks,” the panelists concurred that the steps taken in compliance today are setting the stage for secure networks in the future.
According to Turk, “of all the hits a network can take, even a single hit can ruin your entire day.” Finding that vulnerability is like looking for a needle in a haystack, he said, but is essential work -- and an important use for CDM. He noted the parameters laid out in NIST Special Publication 800-53A (Guide for Assessing the Security Controls in Federal Information Systems and Organizations) related to cyber controls provide baseline activities for CDM. Those activities include security, patching, and otherwise knowing what’s in your network, he said.
For Kneidinger, CDM provides tools to close the gaps, fortify the network, and otherwise help CISOs do the work related to truly securing the networks.
Looking to the future -- particularly the cloud and mobility -- Kneidinger noted that executive agencies are extremely interested in learning how CDM can be accessed as a shared service. He said a working group is being assembled to consider security parameters for such a service, with plans to work with FedRAMP to that end. A second phase RFI to the CDM initiative will soon be announced to consider infrastructure integrity, Kneidinger added, with mobility as a critical component.
Turk said the Enterprise Security Oversight Center at Commerce is planning to integrate cloud activity in its work. Cabrera approached the issue from an investigative perspective, noting that any new technology is another potential “attack surface” to be investigated. The Secret Service has to have a better understanding of how to gather intelligence and how to access that information related to those attack surfaces.
Regardless of the particular perspective from the panelists, all agreed on the essential need to ensure the confidentiality, integrity and availability of federal information and information systems. Use of continuous diagnostic monitoring allows agencies to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
For complete information from the immixGroup CDM Briefing, visit http://www.immixgroup.com/for-government/webinars/2014/04/08/Improving-Cybersecurity-and-Resilience-Through-CDM/.
Ray Miles is a certified project management professional and alliance manager at McLean, VA-based immixGroup. He can be reached at Ray [email protected].