Matt House, CDM program manager at CISA, said his office is ready to expand its cyber tools to cloud instances to better mitigate evolving cyber threats.
From the beginning, the Continuous Diagnostics and Mitigation program has been all about shining light on cyber blind spots.
First, CDM focused on the basics of cyber defenses. The Cybersecurity and Infrastructure Security Agency program strove to make sure agencies knew who and what was on their networks. Then, CDM sought to illuminate cyber risks enterprisewide and governmentwide through dashboards.
Now, CDM is shining the light on cloud infrastructure.
“We can tackle the infrastructure-as-a-service piece fairly directly as a logical, if not, concrete extension of what we’re doing for traditional assets. But we’re largely blind right now if we try to take the tools that we have in place today and apply them to platform as a service and software as a service. It just doesn’t work. It’s not, applicable, so we are somewhat blind there,” said Matt House, CDM program manager at CISA on Ask the CIO. “We also have to do some stepping back on what our definition for asset management is from a software-as-a-service perspective. It sounds a lot to me like just data protection. I don’t need to know the implementation details. We’re in the early stages of working on that.”
House said CDM is starting with the “easy one,” IaaS, to identify and secure assets in the cloud, and then will use those lessons learned to move to PaaS and SaaS instances.
The first step in this entire effort is relooking at how CDM defines an asset. When agencies had most or all hardware on-premise, defining routers or switches or servers was relatively easy. House acknowledged that even, today after more than a decade, not every agency has 100% of on-premise assets identified and monitored.
“We have to then consider what tools or what capabilities we want. So if I pick on cloud in particular, the delivery model is one of the major indicators of how we need to address a particular subclass differently. That’s going to prompt us to have different approaches and different tool sets,” he said. “Those tools are often evolving right in place. They’re getting better so I think that there’s a lot of richness that we can still tap into in these tool sets.”
CDM has invested millions of dollars since 2012 in federal civilian agency cybersecurity tools and capabilities. House said many of these, like endpoint detection and response (EDR) or asset management software, have the potential to help agencies tackle cloud blind spots.
The “use what you have better” approach is part of the evolution CISA has taken with CDM over the last few years.
“Maybe we either leverage [EDR] or augment it or gap fill it versus try and think of this as every new problem space needs a new CDM, funded-from-zero solution,” House said. “I would argue that’s the reason we’ve made the progress we have with EDR as relatively quickly as we have when compared to some of the other capabilities is we’ve adopted that gap-fill approach. By definition, it requires that we work a little bit more closely with agencies very explicitly on understanding what they already have versus us telling them what they need. We figure it out collectively.”
House offered a few examples of the collaborative approach working well.
In one case, an agency decided a few years ago its EDR tools were good enough and didn’t need CISA’s help. But then decided in the last year, that it wanted to move off its current EDR platform and onto a more modern one.
The CDM Program team offered some alternatives and use cases of other agencies that recently installed EDR tools.
“We helped them by sharing a lot of what we’ve learned over the last three years — in many cases in the trenches — to drive their analysis of alternatives. It became a very natural and mutual decision in the sense that they wanted to know what we had learned along the way. We didn’t have to influence them,” House said. “By sharing that information, we had a high level of confidence that they were going to pick a tool that we were comfortable with, that met their enterprise needs and was compatible with other CDM tools.”
In another case, CISA worked with an agency that already had a solution in place, but it was not fully deployed across all portions of the enterprise.
CISA helped that agency reach almost 100% coverage in about 14 months.
“We subsidized the licensing costs, helping with the labor, getting them in touch with and getting them access to the professional services they need. That was a lot more of an augmentation versus us helping them decide on what tool to use,” House said.
One area where CDM continues to standardize is the federal dashboard. House said 94 civilian agencies now submit data to the platform hosted by CISA.
“Broadly speaking, I think the median is well above 60% to 70% of all assets within the definition of that technology class. And that’s been trending upward steadily for us,” he said. “We do look at that stuff very closely across all agencies and across all implementations. I’m very tightly in with our overarching data quality efforts, data quality management efforts, because it’s not good enough to get data in, you have to have confidence in the data. That is very much a three-party effort. The CDM Program management office, the integrator and the agency all have worked closely together and have to do that.”
Over the coming year, CDM will expand the data coming to the dashboard beyond traditional IT assets to include mobile devices and even IaaS data.
“Agencies should be using the same visualization tools, so we all work off the same sheet of music. That process for getting that data out there has shrunk in the past year due to some upgrades in the dashboard infrastructure. It used to take us six months to get those out because of the way we had to deploy packages and get all of the dashboards individually upgraded,” House said.
“Now, we can pump those out now in a matter of less than a week or even a few days, which that makes a big difference when it comes to targeted response. The big picture answer on this is the dashboard has evolved in terms of its value to CISA to become a tool of first resort, as both proactive risk management and incident response and coordination.”
All of these ongoing efforts are part of the continuous evolution of CDM.
“The CDM of today is not the CDM that grew up last decade. We were standing on the shoulders of the work that had been done over the past 11 years, and I wouldn’t trade it for anything. But we really have entered into a new exciting era,” House said. “CDM is no longer just a better mousetrap for governance risk and compliance — or managing compliance. It’s really an operational tool for the agencies and for CISA as a whole. It’s making a material impact in our ability to proactively manage risk and be all the more efficient in responding to urgent threats.”
To learn more about CISA’s CDM program and where it’s going in the future, download the e-book sponsored by Booz Allen Hamilton.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED