Surge teams help integrate NASA mission cyber priorities with CDM

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

NASA is taking advantage of some unintended benefits of the continuous diagnostics and mitigation (CDM) program. The space agency is not only meeting the requirements under the different phases of CDM, but also addressing cyber priorities of its mission areas.

Willie Crenshaw, the program executive for the CDM office at NASA, said the surge teams created during phase 1 of the program now are helping identify and implement new capabilities.

“That team worked together with the missions to explain CDM and work with the CDM integrator to explain what is going on within NASA and deal with the culture as we move forward with implementing,” Crenshaw said in an interview after a speech at the recent CDM conference sponsored by FCW. “We’ve mirrored a team for the DEFEND task order because it’s a little different than just implementing the tools. It’s more of us also processing the request for services within the agency. The agency has to talk to [the Department of Homeland Security] about the requirements and we don’t want the integrator doing that. Our own team within NASA will work with our components, missions and programs to get their requirements and create the request for service.”

DHS and the General Services Administration, which acts as the procurement arm for CDM, awarded Booz Allen Hamilton a $1 billion contract last July to support Group D, which includes GSA, NASA, the Social Security Administration, the departments of Treasury, and Health and Human Services, and the Postal Service, under DEFEND.

Under DEFEND, agencies have more flexibilities to deploy cyber capabilities that make the most sense for their current needs.

And that’s why that close connection with the mission areas is letting NASA address some long-standing cyber challenges.

“You have your set of request for services coming from DHS for all the agencies in Group D and we want to make sure that priority gets met,” Crenshaw said on Ask the CIO. “But we have our own. What we will do is get DHS’ requirements and our own requirements and generate a RFS. The program is flexible like that and helps us do that. We like that model.”

He added the internal cyber teams collecting mission requirements or needs helps build the trust with both NASA’s cyber office and with Booz Allen’s integrator team.

Crenshaw said there are more than a dozen helping with the operational side of CDM and the tactical or strategic teams are smaller, maybe three or four people.

One of the big benefits of CDM is visibility of hardware devices and applications across the network.

“We have standardized on patching. We are able to see more assets and then we can patch. We have seen an increase in the number of systems patched. We’ve also seen the time decreased to get those systems patched,” he said. “With some things at NASA, you can’t just through the patch on it. You need to test it out. We have the data and are able to build those metrics. So being able to see more assets, of course our patching levels have gone done and we’ve improved our scorecard.”

NASA struggled with patching systems in 2016, with anywhere from hundreds of thousands to millions of patches out of date.

Crenshaw said CDM has let NASA put more capabilities in place beyond just patching, including vulnerability management and scanning, that is improving its cybersecurity.

“By us going to an enterprise level, we now have the standards set and everyone can come to that get their reports to see what is going on instead of having a tool here and a tool there,” he said. “Now everyone has one central point and dashboard where they can see things and act on it quicker. The visibility tells the story. It’s easy to say something isn’t patched, but it’s also why is it not patched? We are able to tell the story better to the leadership as well.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.