There’s no better time to talk cybersecurity than October, the official National Cybersecurity Awareness month. But when it comes to government security, every month is Continuous Diagnostics and Mitigation (CDM) month.
Launched in 2013, CDM offers commercial, off-the-shelf tools — hardware, software and services — that agencies can access via an approved products list (APL) with the possibility of off-setting funding. The Department of Homeland Security (DHS) runs the CDM program in partnership with the General Services Administration (GSA). The program has been rolled out in four phases to help network administrators achieve near real-time information about the state of their networks.
These phases each have a specific cybersecurity focus:
CDM represents a huge opportunity for agencies to improve their cybersecurity. Through the program agencies can:
- Identify cybersecurity risks on an ongoing basis
- Prioritize those risks based on potential impacts
- Help cybersecurity personnel mitigate the most significant problems first
CDM can also mean IT dollars for your agency—dollars that don’t come out of your IT budget. Agencies that participate in CDM can implement DHS approved solutions and receive off-setting funding.
Despite CDM’s promise and many successes, challenges to adoption remain for federal agencies. One challenge is simply the breadth of the CDM program, which makes it difficult for IT managers to understand how best to implement CDM. For example, there are over 70,000 products listed in the CDM APL – how can an agency decision-maker know which to choose, and how to avoid potential interoperability issues?
Many agencies struggle with the best way to integrate CDM into ongoing cybersecurity and/or modernization initiatives. And then of course there are often resource challenges, both budget and time bound.
CHARTING THE BEST PATH FORWARD
To help agencies leverage CDM Govplace created the CDM Crosswalk process. This process outlines all the requirements for CDM and matches them to specific security issues. Some of these issues will cross over multiple CDM phases. For example, end-point security encompasses elements from both CDM phase 1 and CDM phase 3.
With the requirements clearly linked to specific security needs, the Crosswalk process then identifies specific vendor products and services that Govplace has tested and certified as effective for that security need. Govplace is uniquely suited to make these determinations because as an established VAR, Govplace brings honed experience with commercial off-the-shelf (COTS) products given our direct relationships with multiple Original Equipment Manufacturers (OEMs) and other companies that create security products.
Govplace also maintains an in-house lab testing environment, continually testing and evaluation new technologies. This customer-facing environment allows for orchestrating proofs of concept with our OEM partners to demonstrate specific capabilities and interoperabilities. This is how Govplace understands the strengths and weaknesses of competing products, and how we can recommend which products are most complementary to ensure CDM mission success.
Once the capabilities are matched to security issues and the best product set is identified, all this information flows directly into a Request for Service (RFS). The RFS is the specific process through which tools and training can be delivered through CDM. To secure off-setting funding for the agency, an RFS needs to explain what the agency is trying to accomplish and map that security objective back to CDM requirements. Products and services identified in an RFS must be on the CDM APL to qualify for possible off-setting funding from DHS.
To recap, the CDM Crosswalk guides an agency through the three steps required to improve their cybersecurity through the program:
- Mapping identified security needs to specific CDM requirements
- Suggesting the best vendor/product fit
- Helping agency construct a thorough RFS
Here’s an example of the process at work. An agency client was attempting to implement two-factor authentication that was going to be required to pass a security audit. By using the CDM Crosswalk process, we were able to connect this pressing need with CDM Phase 2 requirements, identify an effective “bolt-on” solution and helped their staff complete an RFS that secured off-setting funding for the agency.
The CDM program continues to evolve. CDM program manager Kevin Cox said this month that 2020 priorities include getting more smaller agencies on the shared CDM platform, incorporating enterprise mobility management data into agency CDM dashboards and establishing a baseline for Agency-wide Adaptive Risk Enumeration (AWARE) scores. Cyber threats keep changing and so does CDM.