CISA Gets Agencies to Automate Cyber Vulnerability Reporting to CDM Faster Than Anticipated

The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) is making progress in getting Federal Civilian Executive Branch (FCEB) agencies more deeply connected and integrated with CISA’s Continuous Diagnostics and Mitigation (CDM) cybersecurity monitoring and response system capabilities.

The government-wide cybersecurity agency has been working to meet several CDM program requirements in the 2021 White House Executive Order on Improving the Nation’s Cybersecurity (EO 14028). CISA is charged with reporting on these and other cybersecurity performance metrics upon the Performance.gov Website.

DHS’s Agency Priority Goal, “Strengthen Federal Cybersecurity,” as posted to Performance.gov, reads: By September 30, 2023, 50% percent of federal agencies will meet the end of year Binding Operational Directive-22-01 [Known Exploited Vulnerabilities] requirement for leveraging automated Continuous Diagnostics and Mitigation reporting and CISA will achieve measurable progress toward enhancing operational visibility within the Federal Civilian Executive Branches by improving asset discovery and vulnerability enumeration.

Progress on BOD 22-01 Automated Vulnerability Reporting Requirements

According to the June, Q2FY23 progress update provided by DHS, CISA reports that 56 out of 101 (55%) FCEB agencies now automatically report into CISA’s CDM system, up from 45% at the end of the first quarter of fiscal 2023. The Q2 results not only exceed the 50% requirement of BOD 22-01, but they also met it three months early, garnering CISA some positive media coverage.

However, CISA also set expectations for more modest progress going forward, citing “factors like agency resourcing, prioritization and leadership changes [that] will create challenges for achieving comprehensive CDM coverage as will CISA’s inability to directly make changes to agency tooling. We foresee stabilized performance through the rest of FY23. Beyond FY23, CISA will be able to gain some incremental increases with agencies, likely as high as 85%, but may never approach 100%.”

Translation: the combination of uncertainty within and limited authorities without will limit CISA’s ability to sustain the rate of progress they enjoyed during the first half of FY 2023, and they only expect to get about 85% of FCEBs fully onboard with CDM, best case scenario unless significant positive environmental changes occur.

Improving Asset Discovery and Vulnerability Enumeration

In October 2022, CISA issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks that directs federal civilian agencies to better account for what resides on their networks.

By April 2023, all FCEB agencies were required to initiate automated asset discovery on their networks, initiate vulnerability discovery and enumeration across all discovered assets, and initiate automated ingestion of detected vulnerability enumeration results into the CDM dashboard. For CISA’s part, they were to publish the relevant data requirements for agencies, draft an Asset Visibility Enhancement Guide to help agencies with implementation, and prepare the CDM Dashboard to receive the data from agencies.

Per CISA’s latest performance update, they have set a goal of having 50% of FCEB agencies to have successfully initiated reporting of vulnerability enumeration performance data under BOD 23-1. Reporting on the progress of this goal will come in the Q3 progress update, anticipated in September.

Exploring CDM Modernization

CISA is also exploring paths to modernize the CDM program for the future. CISA released an RFI in June to research potential sources to modernize the CDM program to ensure new cybersecurity capabilities are effectively deployed across civilian agencies. Potential solicitations are TBD and may or may not materialize. Time will tell. However, DHS’s requested $421M for CDM in their FY 2024 budget, with nearly 80% of those funds targeted for new development activities, versus O&M.