The Office of Personnel Management faced a quandary. As one of the first agencies out of the gate under the Continuous Diagnostics and Mitigation (CDM) program, the question officials had to ponder was both simple in the idea, but complicated in the final decision: Does an agency wait until the Homeland Security Department and Booz Allen Hamilton, the contractor which won the task order for Group B, implement the tools and technologies, or does it pay for similar tools for another year on its own?
In the end, Jeff Wagner, OPM’s director of IT security operations, said the agency decided it couldn’t do without these tools even though DHS, through its CDM fund, is paying for similar applications and expects them to be installed by next spring.
“One of the pitfalls, and this is my own personal frustration with CDM, and I don’t like talking bad about CDM because I love it, is timeframe, timing, issuance and getting things moving,” he said during an event on CDM sponsored by 1105 Government Information Group and RedHat.
Wagner said DHS told OPM — and likely the other seven agencies that are first in line—the tools and technologies are coming, but it may take a year to get through all the processes to get them implemented.
“I don’t have a year. I have six weeks,” he said. “Especially in a time like right now, if you jump on CDM, you can either buy this product for a year or not have a solution in place. It’s going to become a risk-based decision. In the instance in which CDM is buying us tools, I made the decision with the CIO that this year I will renew all the tools that I have in place that CDM is supposed to replace, but they will not be in place until March or April. I’m getting all this stuff, but they will not be configured until then. And until then, I still need to patch. I still need vulnerability scanning. I still need compliance scanning. I still need to do some sort of software inventory. It’s going to be one of those roll the dice. Do I but it this year or don’t I?”
Wagner said DHS and the General Services Administration have been phenomenal in working with agencies to get the tools rolled out, but the reality is it takes time.
“There’s going to be a gray area and there is going to have to be risk and we do call back to DHS and GSA and say ‘Hey look, what are the fine lines we can do, what are the pieces we can do, where can we cut, where can we get you guys to pick up the costs?’” he said. “They work with us on it. In some, they say they can totally do it and in other cases they say it’s not in this phase, and they have rules like everybody else.”
Wagner’s challenges are specific to OPM.
Every chief information security officer and chief information officer as they finalize their fiscal 2017 budget request over the next month must decide how much money they need and where to spend it.
Wagner’s initial budget request his office is putting together for 2017 is $7 million more than OPM said he could have for IT security.
“Like anybody I put in a budget, I’m $7 million over because I have more wishes and some of them like, ‘Yeah, no, not going to happen,’” he said.
One of the long-standing complaints about CDM is the size of the program and how long it takes to go from contract award to full implementation.
And if OPM with a fairly small cyber budget and modest network is struggling with these buy or wait decisions, imagine what the departments of Veterans Affairs, Transportation and Energy—all of which are in Group B along with OPM — must be going through and how much money they are spending while waiting for DHS and the contractor to get moving.
There may not be an answer to this problem either. DHS and Booz Allen, in this case, can’t just throw more people or money at the problem. Configuring tools on a network takes time to get it right and the larger the agency and more complex network, the longer it will take.
Maybe that’s one of the shortcomings of a program like CDM that can’t be avoided. As Wagner said, he’s a huge supporter of DHS and GSA as both partners and of the concepts behind CDM, but he knows firsthand that the risk is too high to wait for new tools, leaving him like others having to spend money they hoped they wouldn’t have to in 2016 and beyond.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.