DHS’ CDM program still not showing full picture of agency IT, GAO says

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Department of Homeland Security’s continuous diagnostics and mitigation program, known as CDM, has been around for seven years. But it doesn’t yet produce complete pictures of agency IT assets and whether they’re securely up to date. That’s what the Government Accountability Office found when it examined the CDM programs that three sample agencies. GAO’s Director of Information Technology and Cybersecurity Issues Vijay D’Souza had more information on Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Vijay, good to have you back.

Vijay D’Souza: Thanks. It’s good to be here.

Tom Temin: So you looked at which three agencies and what were you looking for?

Vijay D’Souza: Well, we looked at how the CDM program was implemented at FAA – the Federal Aviation Administration – the Indian Health Service and the Small Business Administration. We didn’t look at the whole program, we looked at sort of the first or foundational aspect of the program, which is basically asset management. So understanding what exactly is on your network from both hardware and software perspective.

Tom Temin: Yeah, that’s really the foundational need for cybersecurity is having a full inventory of everything you’ve got to protect. And did they have a full inventory?

Vijay D’Souza: So the short answer is no, they didn’t. They have taken a lot of efforts to try to develop an inventory. And they have a lot of efforts underway. But it’s quite hard. We found, for example, at one agency that almost half of the devices had duplicate records. So one device would have two or more records due to how sort of the underlying data collection system was developed.

Tom Temin: Got it. And so is this a result of the tools that they were using to do the inventory? Or is it because there’s so much change in adding and subtracting equipment all the time?

Vijay D’Souza: It really has more to do with the tools. I mean, one of the challenges with this program is that DHS actually administers the contractors that run the CDM program and the contractors go to these different agencies and try to implement their solution at the agencies. I think originally when DHS started the program they were trying to use a more – I hate to say it this way, but maybe a one-size-fits-all approach and I think over time they realized that that was pretty challenging, and each agency has its own unique issues. More recently, they’ve restructured the program to give the agencies a little more flexibility in working with the contractors. And I think that has led to some improvements. The duplicate issue identified to you is one DHS is aware of as well. And they released a plan to address this issue last year.

Tom Temin: And what is their basic plan to get around that?

Vijay D’Souza: I mean, I think it’s basically as you said, making sure the tools have ways to weed out duplicates and search for them and tracking it and trying to set some metrics around improving it.

Tom Temin: Well, when a contractor from DHS comes into an agency, the agency has to, I guess, accommodate that contractor and give it space to work and so on. I guess the question is, what’s the issue? What should the agency do to work with a contractor to make sure that the contractor doesn’t overlook anything that -because the agency doesn’t know what it has presumably until the contractor comes in and discovers it using the tools.

Vijay D’Souza: Well, all of these agencies, you know, I don’t want people to think that agencies didn’t have any way to track what they had before. But the idea is to do it better and to do it in a standardized way that can be rolled up by DHS into a governmentwide dashboard. One of the challenges we did find with this overall program is is what I mentioned, the contractors are sort of administered by GSA and DHS, but they’re doing work at these individual agencies. To respond to this DHS tried to create point people that served as liaisons between the agencies and the contractors. And we did find that that helped, to some extent, but agencies did mention that it was a problem sometimes having a contractor work at your agency that isn’t sort of reporting directly to you.

Tom Temin: We’re speaking with Vijay D’Souza, director of Information Technology and Cybersecurity Issues at the GAO. And in your summary report, you say the agency’s identified various challenges to implementing the program, including overcoming resource limitations. Is that to say they don’t feel they have enough money to – how does that work?

Vijay D’Souza: Well, yeah, these security, having contractors and underlying tools to keep track of all these things is expensive. DHS covered the upfront costs of the program. But the idea is that over time, the agencies will assume the ongoing maintenance costs, which are significant. So agencies raised that as a challenge. DHS is supposed to sort of make the case for the agencies with OMB to make sure that the agencies get enough funding to support the ongoing maintenance of these tools, but it’s not easy. And you know, money is always tight for these sorts of things.

Tom Temin: Sure. And the other issue is that the agencies felt they could not resolve problems directly with contractors because the contractors operate on site, or do they just operate from some central location, and it’s all a virtual setup?

Vijay D’Souza: Well, nowadays, everything’s a virtual setup. But I think in general, it’s a mix I mean, you need to do – nstall some things on the agency’s network, which requires some physical installations, some software installations. But obviously the contractors are working at their own facilities as well.

Tom Temin: Alright, so you had a series of recommendations this time. Well, before we get to those, what’s your sense of how projectable these shortcomings are in the three selected agencies across the whole federal population?

Vijay D’Souza: So, you know, we didn’t do a generalizable sample. So I can’t say – we, for example, didn’t make a recommendation government wide about these issues. But in general, the feedback we received was fairly consistent across agencies regarding the challenges with the program, and DHS confirmed that as well. The efforts that they’re trying to make to address these problems are things they’re doing governmentwide, not just focused on the agencies we looked at.

Tom Temin: Yeah, and the shortfalls in the inventories that are developed under these programs. Are they mostly in software licenses, mostly in hardware, mobile devices? Is there any sense of what it is that’s not being counted?

Vijay D’Souza: The biggest issue we found was with the hardware. That was where it was most apparent that there was challenges. There were less issues with software. We didn’t specifically look at mobile devices for this, although, you know, mobile devices are considered hardware.

Tom Temin: But with respect to hardware, I guess maybe that’s less of a problem than software because most of the patching and vulnerabilities I would imagine occur in software programs. Hardware has firmware. But –

Vijay D’Souza: Yeah. Yes and no, I mean I think part of what you might be afraid of from a vulnerability standpoint is to have someone plug a unknown computer into your network. So that is definitely an issue. We actually did find that the software tools tended to work better. We didn’t find through the duplicate issue we did. We found that the scanning was generally in many ways functioning as intended.

Tom Temin: Heaven forfend, somebody should plug in a Huawei router and not be able to have it pop up and someone see it.

Vijay D’Souza: Right. Well, any device, it doesn’t necessarily matter the manufacturer what matters more is who’s in charge of it, and how’s it being administered.

Tom Temin: Got it, all right so what are the recommendations?

Vijay D’Souza: Well, we made recommendations both to DHS and the agencies that we looked at, that they take certain steps to basically – we recommended things in several areas, but the big focus was improving the data quality and improving the linkage so that agencies could understand. One thing we didn’t touch on is agencies didn’t always have a good understanding of which device is linked to which systems from a IT security perspective.

Tom Temin: Yeah, so does it come up, say the circumstance where here’s your inventory that spits out and goes up to the dashboard? And could an IT person say, “But you know, I know we’ve got such-and-such a server here. And that doesn’t show up.” Is that the kind of thing that can happen?

Vijay D’Souza: It could I mean, I think the probably more likely scenario here is that the same server shows up several places. The duplicates was more of an issue than the missing devices. But the other issue is that, you know, an individual server might support multiple systems. So figuring out how do you count that, which system do you do count that towards?

Tom Temin: And given the fact that CDM is seven years old, would you say that even with the state of the tool deployment and output at this point, the government is better off than before CDM, even though CDM is not fully mature?

Vijay D’Souza: Definitely. I mean, obviously, it’s taken longer and cost more than I’m sure even DHS would have hoped. But the fact that we even have a system now, however imperfect to measure IT, security posture, agent, governmentwide, is a great step. We definitely need to improve the quality. We definitely need to build on it. But you know, it wasn’t an easy task, and we have seen some progress.

Tom Temin: And DHS is generally aware of these issues?

Vijay D’Souza: Yeah, DHS – we discussed all the challenges we identify with DHS. I think it’s safe to say they didn’t think anything we raised was a surprise to them. In our report, we identified each of the challenges and steps DHS was taking to address them, so they’re certainly aware of it.

Tom Temin: Vijay D’Souza is director of Information Technology and cCbersecurity Issues at the Government Accountability Office. Thanks so much for joining me.

Vijay D’Souza: Thank you.

Tom Temin: We’ll post this interview and link to his report at www.FederalNewsNetwork.com/FederalDrive. Hear the Federal Drive on your schedule. Subscribe at Apple Podcasts or Podcastone.