As the Cybersecurity and Infrastructure Security Agency revamps its flagship federal cybersecurity programs, industry experts say CISA should focus on bolstering threat hunting across agency networks and on increasing visibility into unmanaged devices.
Meanwhile, it’s also building on the Continuous Diagnostics and Mitigation (CDM) program that provides agencies with cybersecurity tools, capabilities and services to find and address vulnerabilities across federal networks.
Members of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection are paying close attention to the progress of those programs as CISA updates them.
“The direction CISA takes these programs, and to what extent they are administered as true shared services with CISA covering continued costs, will dictate CISA’s posture toward other federal agencies moving forward,” Subcommittee Chairman Andrew Garbarino (R-N.Y.) said during a Sept. 19 hearing.
“Whether CISA acts as a service provider or an advisor toward other agencies is a fundamental question, and Congress and CISA must both be consistent in how they approach it, across CISA’s many missions and programs,” Garbarino added.
CISA offers an expanding list of shared cyber services to agencies. CISA provides CDM as a shared service to eligible non-Chief Financial Officers Act agencies, providing those smaller agencies with cloud-based tools and services at no cost. Larger agencies, meanwhile, must pay for the services provided under CDM.
Stephen Zakowicz, vice president of CGI Federal, said while CDM’s shared services model works for smaller agencies, some of the largest federal agencies may have more unique needs that aren’t covered by CDM. CGI Federal is one of the major system integrators on the CDM contract.
“That model is not going to work for the largest, most complex, federated agencies out there,” Zakowicz said. “They’re going to have a unique requirements that won’t necessarily allow them to take on a shared services approach.”
However, Zakowicz suggested there are those beyond the non-CFO Act agencies that could take advantage of an expanded shared services model for CDM.
“There are a lot of agencies that currently don’t qualify for the shared services program that could take advantage of those and that would allow centralized funding, it would allow reduction in total operating costs due to the purchasing power of that shared services platform, and could ultimately provide some additional benefit,” he said.
Meanwhile, the Government Accountability Office recently reported that CISA cannot test the CDM tools it deploys on agency networks without permission, limiting the cyber agency’s ability to determine whether the program’s tools and services are working.
Congress in the Fiscal 2021 National Defense Authorization Act granted CISA the ability to conduct threat hunting on agency networks. Zakowicz said Congress could help by codifying CISA’s ability to hunt for, detect and respond to threats on agency networks through Endpoint Detection and Response tools recently added to the CDM program.
“I do think continuing to take a look at how actively they are able to engage with agency networks, agency environments, will be worthwhile to understand if that gives them the authorities indeed,” he said.
Brian Gumbel, president of cybersecurity firm Armis, recommended CISA look to expand CDM to monitor a much broader range of technologies, including Internet of Things devices and operational technology.
“Right now you have some groups that you have just visibility into OT or IT, you have some that are focused just on IoT,” Gumbel said. “There needs to be convergence of leadership across all federal agencies so that there’s a holistic view of what’s being managed and what’s being unmanaged.”
Meanwhile, CISA has requested approximately $425 million in fiscal 2024 to launch the new CADS program. Budget documents describe it as “a robust and scalable analytic environment capable of integrating mission visibility data sets and providing visualization tools and advanced analytic capabilities to CISA cyber operators.”
Rob Sheldon, director of public policy and strategy at Crowdstrike, suggested CISA conduct a “stress test” of the new system, once possible, to see whether it can manage major volumes of data.
“How much data we need to be able to process in that environment? Would it be able to handle twice that? And then would it be able to handle twice that again?” Sheldon said. “And doing some sort of stress test would position them well to understand whether they’re developing architectures that can scale to the level that they will.”