The first agency has submitted data to the federal dashboard under the continuous diagnostics and mitigation program, and four others are following closely behind.
Kevin Cox, the CDM program manager for the Homeland Security Department, almost seemed relieved when he announced it at the ACT-IAC Executive Leadership Conference last week.
Cox added that DHS also is working with the non-CFO Act agencies on a shared service dashboard offering. He said they are now trying to get final approval under the authority to operate the process to go into production.
“That will get non-CFO Act agencies connected up to that shared dashboard and get visibility to the federal dashboard,” Cox said. “As for the agency dashboards, the uptake is still occurring. We are working with the DHS Federal Network Resilience team to set up training and webinars on how best to use the dashboard. We had our first webinar last week and received good feedback.”
He said a number of agencies already have dashboards in place, so DHS is helping those departments integrate the new dashboard with the current processes.
But the real benefit will be as vulnerabilities come out, DHS’ National Cybersecurity and Communications Integration Center (NCCIC) will be able to run a report on the federal dashboard and see what products and devices agencies have, and what might be vulnerable to attack, then work with that agency to get the vulnerability patched.
Without a doubt, it has been a long, hard slog to get CDM to the point where the value is clear — and it’s becoming more effective each month.
Both DHS and the General Services Administration, which acts as the procurement arm of the program, recognized the need to make the program more flexible for agencies and vendors alike.
So the fact that federal dashboard is up and running, and all departments have their agencywide dashboards pulling data from their networks, can signal the beginning of the end of the old CDM program.
Cox prefers to say in CDM’s ABCD model, the “step A” is done and “step B” should be completed by the end of 2018.
“Phase one … was very basic activities that take a lot of time to get the capabilities in place. We have been working this for about three years,” he said later in the week at the CDM conference, sponsored by FCW in Washington, D.C. “In terms of successes here and helping agencies understand what’s in their environment, we found underreporting across the agencies at about the 70-percent level. In certain agencies — maybe not intentionally, because they weren’t aware of everything in their environment — the underreporting was up around the 200-percent mark. That in itself was a key win for the program, but what we really want to get to is to give agencies day-after-day visibility into their networks so they can ensure they are patching well, they have overall good cyber hygiene and we can better manage the risk.”
Cox said the “C” and “D” layers will add more value to the agencywide and federal dashboards.
“Under the C layer, agencies will get object-level data, so they can run reports and understand and prioritize what needs attention first,” he said. “Under the D layer, the federal dashboard, as we get into phase 3 of CDM, we can understand where incidents are happening across the government.”
Phase 3 of CDM comes under the DEFEND task order, which is where GSA and DHS shift away from the old way of managing the program, using a blanket purchase agreement, and begin the agile, flexible approach where GSA’s Alliant governmentwide acquisition contract and the schedules program add necessary flexibility.
GSA released the first task order for DEFEND under the Alliant governmentwide acquisition contract in August, and an award is expected later this fall.
Cox said GSA will release other task orders under DEFEND over the coming months for each group of agencies. The goal is to make one award for each of the five major agency groups where the systems integrator and their team has five-to-six years to further implement cyber protections.
The phase 3 task orders will be cost-plus-award-fee type contracts focusing on adding cyber protections to areas such as cloud, mobile device, applications and network awareness.
Cox said GSA and DHS will continue to develop the requirements around phase 4 of CDM.
“We are still working to fully scope this out, but we think we want to start with a proof of concept for areas like data loss prevention and data rights management. Our intent is to start with high-value assets,” he said. “We also will look at architecture changes, like micro-segmentation, to shrink environments that adversaries could have access to if they get in. The goal is to stop them from hopping to other networks. We will continue to work with industry and the agencies to develop our phase 4 approach.”