The Cybersecurity and Infrastructure Agency is trying to lighten the ever-increasing load of policy mandates, laws and cyber threats agencies must deal with every day.
From the zero trust strategy to the cybersecurity executive order, to the vulnerabilities like Log4j and the latest on five different VMware products, agency chief information security officers probably feel like they are swimming upstream most of the time.
But after almost a decade of work, the continuous diagnostic and mitigation (CDM) program from CISA is providing more data, more analysis and more general and specific knowledge about an agency’s systems, devices and overall cyber posture from a reduced amount of time and effort.
“What we’re able to do is give them turn-key features, whether it’s in the actual cyber tools that feed the dashboard or within the dashboard itself, that all they have to do as a practitioner, is go to the user interface or go to the console and immediately see how they can meet those requirements without any staff burden, without any lag time to roll tools out,” said Richard Grabowski, the acting program manager of the CDM program at CISA in the Department of Homeland Security, on Ask the CIO. “Let’s say a 10-person agency, where they have no cybersecurity experts, gets a mandate that to go identify their critical software. That is not easy for somebody who isn’t well versed in IT management in cyber, but they now have a support structure because they can reach out to our support teams and say, ‘Hey, what is critical software? Where do I find it?’ We can literally point them to a console or log in and they’re already onboarded and they have the report they can put out. That just cements some of the foundational yet critical value that some of these foundational investments are contributing to the enterprise.”
Grabowski said the foundational elements of CDM are knowing who is on your network, knowing what is on your network and knowing there are support service available from CISA is putting agencies in a much better state to meet the goals around zero trust, the cyber EO and other requirements coming in the near future.
CDM dashboard expanding quickly
Over the years, CISA has focused on creating this foundation that Grabowski refers to.
At the center of this foundation is the CDM dashboard. Grabowski said over the last 18 months, CISA implemented it at least at 15 out of 23 civilian CFO Act agencies, and at least at 48 out of 68 non-CFO Act agencies. He said the goal is to launch the dashboard at all 91 agencies by Sept. 30.
“We’re actually rolling out our fifth update to that platform,” he said. “We have what we call different releases where we build in some additional analytics, different capabilities, and then we upgrade them across enterprise. Our fifth version of that dashboard platform is about to go out here imminently.”
CISA also is launching a new pilot with four agencies – two large and two smaller ones – to automate things like bot reporting and Federal Information Security Management Act reporting to the dashboard.
“We feel that their deployments have reached the maturation stage and they’re suitable now to not have to worry about manual data calls on certain facets of data,” Grabowski said. “They shouldn’t have to ask people to do ad hoc inventory scans or at vulnerability scans. They should just be trusting in the system that has been built. That frees up resources to then go focus on more advanced things like zero trust, for example, or OMB memo 21-31, which is event logging that they need to rapidly address threats.”
Automated cyber data calls
Through this pilot, CISA will gather feedback from the automated data calls to make sure the information is accurate and valuable, and then will update the program for, hopefully, a broader roll out across government in 2023 and beyond.
“We can share that institutional knowledge and that value proposition to agencies that may be struggling, especially if it’s a governance issue or if they’re having a hard time explaining to their leadership why asset management is so important,” he said. “This can be something they can take back with our agency colleagues in tow and say, ‘Look, they’ve done it, they love it, it works, it adds value because it adds resources back to the pot.’ That’s something we want to get done by the end of the year.”
The two smaller agencies who are part of the pilot are among the 63 agencies that have signed up for shared services under CDM.
Grabowski said this cloud platform provides similar capabilities as the dashboard used by CFO Act agencies.
“We do expect by the end of the year to at least have 50 agencies fully invested and fully deployed on that shared service platform for IT asset management,” he said. “We’ve had one non CFO Act agency that is signed up for that service, where we talked with them in February, and by April or May, they were already up and running. They had already finished their asset management deployment that already encrypted their datasets into the dashboard. That is how fast that delivery model works, and we’re looking very, very closely at that delivery model that we have for shared services as almost a model for something that we can potentially look at elsewhere across the enterprise in terms of leveraging software-as-a-service, leveraging more and putting more of the burden on us to help with deployments and tuning, creating standards so they don’t have to customize it themselves.”
Whether it’s for small or large agencies, CISA, through CDM, is giving the agencies the power and speed to address vulnerabilities faster and more successfully.
IT asset management reaching maturity
Grabowski said IT asset management is at the center of being able to accomplish these goals.
“IT asset management might be construed as something that’s simple. But it’s not, especially when you consider large agencies. Some of the agencies that we engage with have millions of endpoints, and so to conceptualize how much data that is, it’s incredible. It’s a massive big data problem,” he said. “It’s not something that you can just say, put a date on it and then you’re done. This is a persistent and continuous effort to make the right investments, but also back it up by processes.”
One of CISA’s big efforts this year isn’t just making sure agencies are using the best tools, but do a program review and baseline where agencies with IT asset management. He said CISA and OMB have been focused on improving these capabilities for almost a decade.
“We’ve been doing IT asset management for a while so we’re now at the point where we can take a little bit of a breather, take a look at some of the agencies that have been with us for a while and figure out what the current architecture and current state looks like to get them to that homestretch,” Grabowski said. “We’ve built out a lot of work with our systems integrator community, who helps us roll out things of the program, to develop methodologies and what a baselining process looks like for the agency. This involves looking at the tools that they have, where the authoritative sources and data for asset management are, looking at configuration and try to figure out where agencies are in terms of being 100% or 95% or 35%?”
Huge benefits from knowing your assets
The goal is for CISA to document gaps in the technical architecture and toolsets, and then reemphasize the foundational pieces to get agencies ready to move to the advanced CDM areas.
“It’s a very process intensive thing that we’re embarking on right now and we picked it up this spring. It’ll be very much top of mind for us as we track the progression across all the agencies who have been working on IT asset management for going on five-plus years,” he said. “This is not a zero or one ballgame. You can make significant investments in automation in IT asset management and still glean huge benefits. There isn’t some magical inflection point where if I don’t have 100% coverage and 100% of what exactly I need, I can’t use it. We are actively at CISA using this data for the greater good, to proactively identify risks and to give those pointers to agencies.”
Grabowski added agencies are maturing along the IT asset management spectrum under CDM. This also includes changing the mindset of technology executives.
“The last 12 months had been incredibly busy for agencies, so this is the people part because they’re just simply aren’t enough cyber experts. Broadly speaking, we are trying to beg, borrow and steal time and resources across our federal civilian workforce and our contractors to meet so many different requirements,” he said. “There’s a lot of things on our stakeholders shoulders right now so another challenge that we have to kind of be cognizant of is that there’s only so many hours in a day. CDM is just another priority to them. So we have to make sure that we’re clear about how CDM prioritization helps them meet some of these other mandates.”