When the Department of Homeland Security launched the Continuous Diagnostics and Mitigation program a little over a decade ago, it represented a major shift in how federal agencies managed cyber risks on their networks.
Instead of doing it alone, DHS would provide tools so agencies could “continuously” monitor their networks for assets and risks.
But the CDM program’s initial focus would hardly be considered “operational” today, according to Michael Duffy, the associate director of capacity building at the Cybersecurity and Infrastructure Security Agency.
In its early days, the program helped chief information officers manage IT assets and ensure systems had an authority-to-operate. “At the time, the operational use case for CDM had been primarily limited to how agencies could provide cybersecurity information at some summary level to CISA to kind of showcase and demonstrate progress through metrics,” Duffy said in an interview with Federal News Network.
A little more than 10 years later, CDM has entered a “new era,” Duffy contends in our interview and a recent blog post, using its enhanced visibility across federal networks to quickly detect and address vulnerable technologies.
“It delivers on the program’s founding vision for fixing the worst problems first, and providing that shared visibility, and getting that consistency and communications across agencies,” he said. “But we take it a step further by advancing the operational response, incident response aspects of the program, and getting down to the host level so that we can truly say, living up to ‘America’s cyber defense agency,’ that we’re more than a collection point for cyber information.”
The evolution of the CDM program has been years in the making. The creation of CISA as a standalone agency in 2018 was one key marker. Another was the 2020 SolarWinds campaign and the subsequent cybersecurity executive order that directed a multitude of changes to federal cybersecurity practices, including a stronger role for CISA.
The EO directed agencies to adopt robust endpoint detection and response (EDR) tools so they could detect a range of cyber threats ranging from malware to advanced persistent threats to phishing.
And a subsequent White House directive put CISA at the center of government-wide EDR deployments, empowering the agency to set standards for EDR deployments and conduct threat hunting directly on agency networks. Funding provided under the American Rescue Plan helped CISA expand EDR capabilities across agencies.
CISA has now incorporated its EDR tools and authorities into the CDM program, Duffy said, combining it with the CDM dashboard capabilities to better understand threats to agency networks.
“This new dashboard ecosystem, when fully integrated into an agency’s deployment of endpoint detection and response solutions, becomes a fully operational direct access line to CISA that can facilitate no-notice technical assistance should you need it, or continuous cybersecurity assessments through the CDM dashboard, and through the resources that CISA brings to bear to provide interactive communications,” Duffy said. “That didn’t exist before we had both the authority and the technology to provide EDR solutions to agencies.”
Duffy pointed to two recent cyber incidents as proof the CDM program is now “operationally focused.” The first is the MoveIT file transfer breach, a global ransomware attack that ensnared the data of hundreds of victims, including some federal agencies.
But Duffy said CISA analysts were able to leverage the CDM federal dashboard to see what agencies might be using the affected software and quickly notify them of the need to patch.
“CISA was able to see where this critical vulnerability was, who was using this particular type of software, and how we could provide some kind of guidance or notification or support to those agencies and provide that awareness to the larger enterprise as a whole,” he said.
While the agency added the MoveIT vulnerability to its catalog of “known exploited vulnerabilities” that must be patched by federal agencies within specified time frames, CISA didn’t issue a separate “emergency directive” as it has for other major security bugs.
It was a potential signal of the agency’s confidence in its visibility of MoveIT software across federal networks and its ability to work with agencies quickly to patch their software, leveraging the vulnerability catalog in concern with the CDM program. That was a factor pointed out by CISA Executive Assistant Director Eric Goldstein during a recent Cybersecurity Advisory Committee meeting.
“We don’t take decision to issue emergency directive lightly,” Duffy said. “But even convening all cyber experts across the community, to convene all agencies at once to coordinate specific actions, also impacts resources. So regardless whether we are directing an action or convening or reprioritizing, those things have a cost. We really are fortunate now to have that level of visibility for prevalence to understand and manage risk as we’re seeing it.”
Now, the majority of agencies have automated their reporting of assets to the CDM federal dashboard. And Duffy said all the large Chief Financial Officer Act agencies are connected to the central dashboard.
In another case in recent weeks, Duffy said the CDM program worked with a federal agency, which he didn’t identify, to conduct threat hunting on that agency’s network and look for signs that bad actors had potentially exploited a vulnerability in an email security gateway.
“Really working shoulder to shoulder with agency staff to hunt for specific activity or understand what might be happening or to just see if that it was related to the active exploit,” Duffy said. “It could be nothing, it could be something and this is why that direct line, that interactive access CISA now has through CDM is so vital.”
The future of CDM
The Biden administration’s budget request includes $408 million for the CDM program in fiscal 2024. Budget documents shows the program plans to continue integrating data into the dashboard environments and to help agencies understand vulnerable assets on their networks.
Duffy said the plan for the program is to continue integrating CDM capabilities into CISA’s broader set of cyber services. He specifically pointed to the imperative for agencies to better understand both their evolving cloud environments, as well as the need to manage and detect threats to mobile devices.
And the CDM program is also considering how it can help agencies address longstanding challenges with identity management, a central pillar of the federal “zero trust architecture” push.
“I think going back to the basics is almost as important as identifying the new and emerging trends,” Duffy said. “And I think finding a way that CDM can stand in the middle of those two things, find a good balance and pull them together is really our unique position in the federal government and our ability to provide capabilities and support to do that in an effective way.”
And while the program has made strides in ensuring agencies quickly understand and prioritize known vulnerabilities, Duffy said current trends point to malicious cyber activity that’s not necessarily reliant on vulnerabilities.
“We have seen malicious actors finding a way to leverage software and technology for the purposes that they’re designed for, but turning that into something that meets their malicious objectives,” Duffy said.
“It’s something that you can’t get in a vulnerability scanner,” he continued. “This is something that we in the program are exploring, ways that we can monitor TTPs and support agencies in hunting their environments and looking for patterns in logs.”
Duffy said those challenges require CDM to move beyond a sole focus on vulnerability management.
“Thinking about the best way that we can monitor environments and understand what we’re seeing, which in some ways, are not those top-of-mind critical vulnerabilities, but they’re process-based information, they’re behavior focused analysis, so that we can see ways that security operations center analysts can enhance their log management, consider ways to use new tools for host level visibility, and have CISA as a backstop for incident response or threat hunting should they need it at some point in the future.”