MeriTalk’s Cyber Security Brainstorm Highlights the Future of CDM

The theme of MeriTalk’s 2017 Cyber Security Brainstorm was “Cyber Everywhere: Collaboration, Integration, Automation.” What commenced throughout the morning was a discussion of the cyber strategies and opportunities that can keep the federal government’s cybersecurity posture proactive and advancing.

One of the main discussion topics was the outlook for the Continuous Diagnostics and Mitigation (CDM) program at the Department of Homeland Security (DHS). A panel session on CDM and the Changing Cyber Landscape included several industry representatives from CDM solutions provider companies who are just finishing up work on Phase 3 of CDM, which addresses boundary protection and event management for managing the security lifecycle. The panelist provided their insights into the current state of CDM as well as how the program may evolve in the future. Below are several of the topics they addressed and some of their comments.

Current State of CDM

• The CDM Dashboard (Phase 1) that is currently being rolled out to agencies will equip agencies with situational awareness (SA) and actionable intelligence.
• We are finally at the boundary where the internet meets the agency. Phase 3 of CDM is more loosely defined to give the flexibility needed to address agency needs.
• CDM is now engrained in the fed landscape so much so that we see it referenced in MGT Act and other policies. And as we go into the Cloud and CMaaS, we see great opportunity.
• CDM was a chance to homogenize tools and this has been done.
• Successes include the availability of buying cyber training in-bulk; if one tool or approach lags in keeping up with the need, we can choose another that drops in much more easily than in the past; we have better SA of our network environment.

Measuring CDM’s Performance

• From an acquisition perspective, it is about how quickly can we get it
• From a technical side, it is about how quickly we can patch vulnerabilities. For authentication and authority violations, it is about how quickly we can fix those.

Acquisitions Changes

• The decision by GSA to shift acquisitions from their CDM Blanket Purchase Agreement (BPA) and mover to the Alliant contract vehicle will shape the future of CDM. Depending on the agency and how they use Alliant, it may impact which partners they choose. Alliant opens things up to more vendors. They kept the groups together, but it will depend on whether agencies keep what they have learned so far or not. The GSA Cybersecurity Special Item Numbers (SINs) on IT Schedule 70 opens things up as well.

Leveraging the New CDM Dashboards

• As we look at the CDM dashboard, agencies need to make sure the data feeds they designate take advantage of real-time data, not simply historical data. Also, we should look for a process by which to sunset current and old technologies and get new technologies more quickly.
• The dashboard can be used to help the workforce scale and make a cyber defender more effective. Understanding what’s on the network is great, but you need user behavior data, etc. in real-time to make it very useful. 
• The primary usefulness of the dashboard is to provide SA and real-time mgmt. It’s harder to use the dashboard for Endpoint Detection and Response (EDR), so my “ask” for the dashboard people is to build some flexibility into it so it doesn't take a programmer to change or update what is being tracked. The dashboard is not the end in itself, it’s how you use it to achieve the desired end.
• We need metrics that will support budget requests and the dashboard data should help with this.

Cyber- Information Sharing

• When a cyber operator mediates a threat we need to ensure that information is appropriately and effectively shared with other agencies. There is much room for improvement here.
• We would like to see DHS be more prescriptive in what is required for people to share. (The latest cybersecurity Executive Order (EO) will hopefully help this.)
• While the CIO Council, US-CERT, and others have been sharing cyber- information for years, we could do better. It might be useful to share on things like agencies being behind on patches. Public shaming could be a helpful tool to improving security.
• Under-reporting of cyber- incidents is a huge issue in the industry right now. We need to push agencies to report accurately.
• The shared services approach that is coming will help with information sharing. However, agency-specific applications will still need to be set up in a way that makes them proactive.

Future Outlook

• CDM is here to stay and collaboration and integration between agencies and industry is critical to success.
• CDM will look a lot different 3 years from now than it does today. We need to build in the capabilities to adapt. How the dashboard evolves over time is key. Evolution needs to be built in to meet needs as they develop.
• The program will either be turned into a shared service where agencies lose some control, or it will break apart based on various agency needs. Hopefully, it will move to shared service model.
• CMaaS and cloud computing is the next step. CDM has seen some traction at agencies, but we are behind on establishing sufficient accountability on progress and adoption. There’s been a lot of “soft deadlines” and we want to get to hard ones. 
• In Phase 3 we need to shorten time to remediation of cyber events.
• We see the potential for shortening cycle times in all ways. However, it will not be a total offload from agencies to industry. It must be a partnership, setting appropriate expectations, improving information sharing, etc.
• We see CDM evolving into something much, much larger, as you see cybersecurity impact politics and national security.

Implications

Technology advances, evolving acquisitions strategies, and provisions in the White House’s cybersecurity executive order (EO) will likely shape significant changes in CDM in the future and that may mean growth in some areas and contraction in others. In his keynote remarks opening the event, Dr. Barry West, Senior Advisor and Senior Accountable Official for Risk Management at DHS, noted that CDM Phase 1 will be implemented across civilian departments by the end of calendar 2017. But when asked about what tools he sees being needed going forward his response was that they have to re-architect the enterprise architectures first to determine which tools they will need going forward. West also noted that while the current CDM phases emphasize standardization, the White House’s cybersecurity EO and its push for IT modernization will drive further standards and standardization in the future, so some contraction in the variety of what solutions will be in demand might be expected.