SBA’s CDM approach demonstrates the power of cost negotiation

The Small Business Administration has been an innovator when it comes to continuous diagnostics and mitigation (CDM). Over the past few years, the agency has implemented CDM by migrating programs to the cloud and noticed some surprising cybersecurity possibilities in the process.

Guy Cavallo, SBA deputy chief information officer, said a previous Trusted Internet Connections (TIC) pilot project, with the Department of Homeland Security and the Office of Management and Budget, led SBA to ask to conduct a pilot on CDM.

Guy Cavallo, deputy chief information officer at the Small Business Administration.

“The amount of logging data that we’re collecting, and the ability of artificial intelligence to then go through those millions of records of logs to find vulnerabilities and attacks – we said, ‘Let’s see if we can work towards meeting the objectives of the CDM program, but not use the on-premise architecture and products for it,” he said on Federal Monthly Insights – CDM Month. “And then everybody assumed that that meant that we would do something different between on-premise and the cloud.”

Instead, Cavallo said SBA sent everything to the cloud – multiple, as he said he knows of no agencies using only one cloud – including everything on-premise, for greater use of AI.

When Cavallo and CIO Maria Roat joined SBA, at the start of a new fiscal year, he said, there was no budget for cloud. The initiatives and architecture had to be self-funded. So Cavallo and Roat negotiated with their chief financial officer that, if they saved contracts from on-premise locations by turning them off, they could reinvest those funds without additional allocations.

“We knew what the capabilities were, and we had the faith in it. We also had to come up with a way to pay for it without having to wait a whole fiscal year to try to get money,” Cavallo said on Federal Drive with Tom Temin.

The initial cloud effort was by turning things off on-premise, such as hardware maintenance contracts for servers that were migrating to the cloud, and backup software for those servers. Cavallo said the CIO’s office had inherited 38 security tools any of which, upon further investigation, were somewhat niche and could not provide, as he said, “the enterprise views.” So many were turned off.

“And then once we were in the cloud, the cybersecurity capabilities just kept taking off every week” he said. “We saw enhancements and that just reinforced that we were headed on the right path.”

But once in the cloud, SBA needed to justify to DHS and OMB that the outcomes were the same. That took a while to negotiate, Cavallo said. Ideally an agency would be able to dictate an architecture and a set of tools. He said SBA was committed to the CDM objectives all the way from hardware asset management to configuration management and managing accounts.

“One problem with the on-premise architecture is the amount of data that every device generates. We’re collecting data from every laptop, every tablet, every server, every virtual machine, every router, every cloud that we’re in and tying those clouds together,” Cavallo said. “It’s just a tremendous amount of data that would require an expensive hardware on-premise to deal with. And we’d constantly be buying more disk space, where, with the cloud, we’re able to just keep expanding our usage and pay a fraction of the cost of owning the hardware ourselves.”