Rep. Will Hurd (R-Texas) is one of the few members of Congress who actually gets technology. Unlike most, he understands the internet is not a series of tubes.
Hurd, the chairman of the Oversight and Government Reform Subcommittee on IT, said delays in implementing the continuous diagnostics and mitigation (CDM) program is just about installing software into an agency’s systems, so any delays are both unnecessary and unacceptable.
Insight by ServiceNow: IT practitioners provide insight into the low-code, no-code surge that is democratizing transformation in this exclusive executive briefing.
Hurd said he puts the onus on the agencies to make it happen.
“This is absolutely on the agencies side. DHS is doing everything they can to have this resource. When you have an agency partner that has the capabilities and manpower to do it, it’s being implemented. My concern is that in so many agencies you don’t have people that are even capable of handling the basic tools from CDM, which are basic tools in any industry,” Hurd said in an interview during a break in the March 20 hearing on CDM with the House Homeland Security Committee. “That is what I get frustrated with. The first two-years of the program are of no cost to the agency, so this is about implementation. You are running a piece of software, and asking questions of the software and responding to alerts. This is not something that takes and requires a significant amount of manpower, so there is no justification for an agency not to introduce this into their network because you have the funding for the first two years sorted out.”
But Hurd’s comments got me thinking: Is the Homeland Security Department’s signature cybersecurity program really just a software problem? Is Hurd just simplifying what it takes to implement CDM or are agencies making it more complicated than it needs to be?
I checked in with some vendors to get their perspectives on Hurd’s comments.
Pete Morrison, the senior director of sales for security solutions for the U.S. public sector and Canada for CA Technologies, said any large program such as CDM will have its challenges.
“DHS is trying to educate the agencies on how this funding can provide real improvements to the security posture of the departments. Security is complex and DHS may not have anticipated the level of education and training it would have to provide for agency personnel to expeditiously roll out this program,” Morrison said in an email to Federal News Radio. “Cabinet level agencies, especially those with multiple sub-agencies, are not used to working on enterprisewide programs. These agencies will need to manage through that process, which includes competing priorities as well as concerns around out-year maintenance and support of the solutions. DHS can help provide some guidance around how an agency can fund and support the program after the initial two years. This is what has caused delays. More clarity around all of this will help.”
Niels Jensen, a senior vice president of Americas for ForeScout Technologies, said doing the basics around cyber hygiene at the scale of the government creates challenges that were unheard of previously.
“Where Kevin Cox, CDM program manager, originally cited 44 percent of devices found by the program were unknown or unclassified, that number has climbed to 75 percent according to his testimony. By focusing on the (sometimes painful) hygiene of Phase 1, DHS is adhering to best practices established by NIST (800-53) and reinforced by industry best practices (SANS CIS Critical Security Controls),” he said. “The number of unsecured, unmanaged or invisible devices is growing and making it more difficult for departments and agencies to keep pace since an increasing majority of these devices cannot support management and security agents.”
Rep. John Ratcliffe (R-Texas), chairman on the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, said it’s clear CDM isn’t moving as fast as anyone would like but he’s not displeased with the program.
“This is the quintessential problem of matching government bureaucracy with improving technology and trying to match those up to use those in a cost effective and efficient way. I think it’s a struggle that’s probably going to continue,” he said. “That’s why you have hearings like this to bring urgency and focus to that and hopefully change the dynamics of that equation.”
So it seems Hurd is simplifying the challenges around CDM. It’s not “just a software implementation problem.”
But Hurd’s other points about having the people who are trained and capable to implement CDM as well as top leadership support seem to be the real gauge of success.
The Office of Personnel Management is the perfect example. After the massive data breach in 2015, OPM became the first agency to implement phase 1 of CDM, and will complete phase 2 this summer.
“For OPM, this has meant gaining greater insights into our connection points within our network. In addition, OPM has made use of CDM technologies to identify and strategically resolve potential vulnerabilities, which has resulted in better overall risk management and response,” said David Garcia, OPM’s CIO at the hearing. “The use of CDM has set the stage for OPM to move into a continuous monitoring approach that enhances OPM’s ability to manage its systems and continually to evolve its systems security in real time.”
OPM not only received the funding, but brought in leaders with strong cyber and program management skills such as Chord Chase and Lisa Schlosser.
On the other end of the spectrum is the Energy Department. Max Everett, Energy’s CIO since July 2017, said his agency is behind in implementing CDM because they focused on only a smart part of the department.
“We’ve gone back at the direction of our secretary and deputy secretary, we are looking to cover all of phase 1 and phase 2 for the entire department,” he said. “A number of areas in our department have CDM capabilities, meaning they’ve got tools that do those capabilities that we talk about in the phases, and they may or may not be necessarily be the tools that are part of those procurements. Our role right now is filling all of those gaps and my goal over time is to sunset some of those existing tools, as we can, but integrate all the data in our dashboard that goes back to DHS.”
Everett said they have figured out the cost to fill those gaps and the cost of sustainment, which is about $8 million a year.
“I’m making sure in our out-year budget, we pay for that as a department, because it’s a departmental tool,” he said.
Energy struggled because previous CIOs didn’t have the leadership support, and possibly the internal skillets, to bring CDM to the national labs and other offices.
Cox, the CDM program manager, told the committees that despite the challenges, the program continues to make significant progress.
He said 90-to-95 percent of all federal assets will be going through the CDM governmentwide dashboard by the end of April. As of mid-March, Cox said about 25 percent of all federal assets were reporting to DHS’s dashboard.
Cox said DHS is working with the Office of Management and Budget to update the CDM memo from November 2013. He didn’t offer any details on what the update would include.
Additionally, Cox said his office is working the DHS’s Federal Network Resilience office on how to phases 3 and 4 can work in parallel with phase 4 pilots starting this summer. Phase 4 of CDM is focused on protecting the data on the network.
And finally, Cox said DHS is working with the Defense Department, including a meeting in late March, to discuss the concept of implementing a new approach called “comply-to-connect.”
“We want to look across government to see how software-defined networking and zero trust networks could work with comply-to-connect,” Cox said. “We are building that partnership up so we can share back and forth best practices and lessons learned with DoD.”
Ratcliffe said he was pleased with the optimism CDM is bringing to the government.
“The next major step is legislation. That’s why we are having multiple hearings on this issue,” he said. “The plan is to discuss this and the subcommittee staff and team will look together toward looking at legislation that will help with some of the issues.”