For 2019, DHS, OMB to begin next chapter of CDM program

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Homeland Security Department’s signature cyber program to protect federal networks is evolving once again.

The 2019 Federal Information Security Management Act or FISMA guidance from OMB rescinds a 2014 memo, which mandated agencies move to the continuous diagnostics and mitigation, or CDM program, and gives agencies more flexibility in how they meet the goals of CDM.

Jeanette Manfra, the assistant secretary for the Office of Cybersecurity and Communications at DHS, said the latest evolution of CDM is all about the continued deployment of cyber capabilities that make the most sense for agencies.

Jeanette Manfra is the assistant secretary for the Office of Cybersecurity and Communications at DHS.

“Phase 1 is pretty near full completion of deployment, and what that does for us and agencies is provide a level of visibility into your attack surface, what’s in your network. A lot of agencies didn’t have that fidelity before. Some did and had a fair amount of continuous monitoring tools deployed, but now you have standard tool sets that are being deployed at this level of visibility. And when you add a dashboard in to it, what we will focus on is vulnerability management first,” said Manfra on Ask the CIO. “We’ve had Binding Operational Directives that have been quite successful for looking at internet facing and reducing the time to patch on those. What we really think is going to be most beneficial is improving our insight into vulnerabilities both at the DHS level, but frankly more so at the agency level, and starting to improve the way the government manages vulnerabilities across the government.”

To that end, DHS is developing a new approach to for its cyber experts and agency chief information security officers to assign risk scores to their networks, and have the ability to compare the scores.

“I think back to the days of Heartbleed when we are doing data calls with spreadsheets and now all the way to the point where we want to be where we will have near real-time insight into what vulnerabilities exist across which platform. This will allow agencies to focus their efforts in a way that doesn’t currently exist. This is a big focus for 2019,” Manfra said. “We are working with the agencies to develop an algorithm for testing it out since this is the first time we’ve really done something like this. I think it will take some time to get it tuned just right. We do intend for it to be a tool for agencies to understand where they are and have a measurable way of demonstrating progress in a simpler to understand score.”

The way this process may work is a vulnerability would get assigned a risk score. DHS can view the governmentwide status of agency scores, and then work with agencies to fix the vulnerability.

“There will be a number score with some precision and a logical defensibility behind why you get there. It’s going to be a relative score where an agency will want to reduce their number to demonstrate they are getting better. There is no perfect algorithm where you can say that everyone is in the ‘red.’ It takes an understanding of different risk choices, and what we believe are risk indicators.”

OMB new FISMA guidance

Along with the focus on vulnerability management, OMB is making other changes to CDM. In the FISMA guidance, the administration is opening the door for agencies to acquire continuous monitoring tools and capabilities outside of CDM.

Advertisement

“[H]owever, they are required to provide sufficient justification should they pursue acquisition of tools with continuous monitoring capabilities that are not aligned with current or future CDM acquisition vehicles (includes CDM Dynamic and Evolving Federal Enterprise Network Defense [DEFEND], GSA IT Schedule 70 CDM Tools Special Item Number, etc.). Prior to purchasing these tools, a justification memorandum must be sent from the agency CISO to the CDM PMO, the respective OMB Resource Management Office (RMO), and the Office of the Federal Chief Information Officer (OFCIO) Cybersecurity Team,” the guidance states.

Additionally, OMB is telling agencies they can continue to use existing tools or capabilities that meet CDM requirements, but were purchased outside the contracts run by the General Services Administration.

“Agencies are encouraged to provide the CDM PMO feedback on existing tools and input on additional tools that may prove valuable for current or future CDM acquisition vehicles. When agencies exchange data with the Federal Dashboard, agencies retain sole responsibility to respond to risks identified through the CDM program and/or its agency’s dashboard,” the memo said.

Finally another change for CDM is when agencies are expected to pay for the services.

OMB says DHS will continue pick up the costs of all new capabilities for the first two years, but agencies should work with the budget officers to prepare a spending plan detailing how much money and staff time that the agency will dedicate to CDM from 2018 to 2021, and any budget requirements beyond 2021. Agencies are required to submit separate CDM-specific line items in all budget requests starting in fiscal 2020.