The decision by the Office of Management and Budget to give agencies more flexibility in how they meet the requirements of the continuous diagnostics and mitigation (CDM) program may be seen by some as a much needed change to a program that has been slow and, at times, frustrating.
But if you’re Kevin Cox, the CDM program manager at the Homeland Security Department, your glass is more than just half full. It’s a chalice full of hope and possibilities.
Cox sees the bright future for CDM in new ways from security operations-as-a-service (SOCaaS) to shared services for small and micro agencies to ensuring agencies are a part of the continuous improvement cycle because cybersecurity is never done.
Most of all Cox is a pragmatist about the program because agency needs change, vendors’ ability to provide new tools and services ebb and flow with emerging technologies and just because there was a plan three or five years ago, he knows approaches always can be improved.
“One of the things that we as a program really want to get our focused shifted to is the idea of the requirements for the program rather than coming out with specific solutions. We want to know first and foremost what those requirements are, and then we want to make sure we are working with the agencies to understand what those requirements are and in the long run meet those requirements,” Cox said on Ask the CIO. “We worked with OMB to really keep it requirements focused, and ultimately benefit the agencies so they had a memo to take to their components and offices and say, ‘we all need this at the agency level, at the federal level to understand what our enterprise looks like from a cyber perspective.’”
The CDM program, once again, stepped into its next evolution with OMB’s fiscal 2019 Federal Information Security Management Act (FISMA) guidance that opened the door for agencies to acquire tools and services outside the initiative’s bounds or use existing cybersecurity software that meets the program’s requirements.
CDM is not focused on a particular solution
Cox said DHS has heard regularly from agencies about the time it took to deploy tools as well as the question about why they should replace existing tools that were working and meeting the requirements of CDM.
“We don’t want to have the perception that we are focused on a particular solution. We want to make sure the requirements remain the focus and if an agency can show those requirements, then we will take the data from that system to meet the requirement,” he said. “At times there was a perception that CDM was coming in to rip and replace entire solutions that were working. We don’t want that to be the case. A key for the CDM program is the partnership not only with the agencies but also the integrators to get the right solutions for the agency and make sure everything interfaces for communication purposes, and the agency gets the visibility they need and federal leadership gets the visibility they need to ensure the federal enterprise is secure.”
To DHS and the General Services Administration’s credit—a lot of it goes to Jim Piche, GSA’s Federal Acquisition Service’s homeland sector director for FedSIM—for recognizing the need to change CDM. While it’s been far from perfect and it is a fair criticism that it took GSA and DHS too long to move off the initial approach, the agency partners along with OMB recognized the need for this latest change more quickly. Along with the new acquisition approach of awarding long-term, services-based contracts, the focus on requirements rather than specific solutions seem to be coming at the right time.
DHS is starting to face a backlog of requests for additional CDM-related capabilities.
Greg Decker, a principal with Booz Allen Hamilton and who is the chief engineer for the CDM program, said at the recent Symantec Government Symposium with DHS and GSA awarding more than $3.2 billion in cyber contracts over the last year, the competition for expertise is strong as is the demand for services from agencies.
“The DEFEND contractors are completing Phases 1 and 2, filling gaps for Phase 1 and finishing Phase 2,” Decker said. “That will give agency leadership a complete view of the enterprise through the dashboard and begin to transform the sensors to integrate with the governmentwide and agencywide dashboards. We also are seeing agencies incorporating more threat intelligence especially around their high-value assets into the dashboard.”
Cox said DHS is starting to see a bottleneck in terms of the number of staff they can put toward it. He said he has been working with DHS leadership to hire as many as 30 more employees in the coming months.
Part of the reason for the bottleneck of requirements is a change in how DHS and agencies determine the next set of capabilities.
“We need to make sure the agencies and DHS are defining the requirements before we go to the integrator and have them come back with a proposal. What we don’t want to do is say ‘integrator, define our requirements for us.’ What gets delivered may not be what we really need. It’s something that we’ve really worked to introduce discipline within our own program as well our interactions with agencies. That’s why we can’t say Booz Allen, CACI or whomever, come up with something new,” Cox said. “In terms of timing around the backlog, a lot of it is just volume right now. We’ve got all the DEFEND task orders in place so all the agencies are coming to us with ideas for requests for services and we have our own RFSes so that’s why we are starting to see a backlog. But I think overall we have good management on it. It’s not like we have a tremendous backlog, we just have some slow down.”
Cox and DHS, and GSA should be recognized for the ability to change and evolve as too many times agency programs believe the risks are too great and the rewards are not worthwhile enough to change, and that’s why we see failed technology programs that waste millions of dollars.