Why CDM is an opportunity for improvement
- By Chris Townsend
- Mar 15, 2019
This past summer, Rep. John Ratcliffe (R-Texas) introduced a bill that called for, among many things, “regular improvement” to the Department of Homeland Security’s Continuous Diagnostics and Mitigation program.
More than anything, the bill aimed to ensure that the CDM program tapped into the best available commercial capabilities and empowered federal agencies to make the necessary technology advancements to keep networks secure. As cyber threats continue to evolve, agencies' need to consistently improve network security will only increase as well.
"Our goal with this new legislation is to help boost the long-term success of the CDM program by ensuring it keeps pace with the cutting-edge capabilities in the private sector," Ratcliffe said when the bill was first introduced in July. "We're also safeguarding agencies from getting stuck with technologies that will soon become outdated or unsupported by their vendors."
Ratcliffe’s bill was approved in the House and sent to a Senate committee, but got no further in the last Congress. Whatever the future of bill, it has reignited the conversation around CDM and what the program ultimately needs to be a success.
The future needs of CDM
Created in 2012, CDM gives federal agencies a roadmap to improve network security. During the first years of the program, CDM focused on getting agencies to manage data in four phases: determining what is on the network, who is on the network, what is happening on the network and how is data being used.
As the program matured, the talk of phases decreased, and a focus on capabilities is now taking shape. This is an important distinction that goes beyond semantics. It allowed the CDM program office to “bucketize” technologies and focus on areas of cyber that meet the targeted areas for each agency. It also offered agencies the ability to identify areas of immediate need.
As agencies continue to improve performance within the CDM structure, they must remember that the program was intended solely as a baseline. It should not be treated as a stand-alone solution to the cyber challenge, but as part of the foundation of a broader security strategy.
A defense-in-depth approach
As federal agencies meet CDM goals, they can use the program as a springboard to improve their overall cyber functionality. For many, that will include a defense-in-depth approach where they build their security architecture into a cohesive system structured around network and data visibility.
Many agencies built their networks with a piecemeal approach, at least when it came to cybersecurity. As new threats emerged, different technologies were added to mitigate that specific problem. This approach led to a mix of legacy systems unable to properly communicate with one another, creating visibility silos that hackers could exploit. While necessary at the time, the process made it nearly impossible for agencies to answer some of the simple questions CDM asked: knowing who is on the network and what they are doing.
CDM can serve as the driver for agencies to implement an integrated cyber defense strategy that helps solve this integration complexity, which includes multiple data structures, data control challenges and complex workflows. A defense-in-depth approach streamlines the security process, helping agencies monitor data during every stage of its lifecycle -- from the time data is collected, to when it is accessed, transferred, stored, shared or discarded.
Part of Ratcliffe’s bill called for making federal agencies legally responsible for meeting the goals of CDM. While this may seem an added challenge, it could be a blessing. The bill included additional funding language that would help agencies pay to fill in some of the gaps in their cyber security strategy.
The CDM program offers an opportunity. Federal agencies should not view it as another mandate to meet, but as a chance to make larger changes for the greater good. Agencies should know what is on their network, who is on their network, and what those people are doing. CDM can help agencies refine those practices, but a full integrated strategy is critical to ensure the most protected environment.
The future of Ratcliffe’s bill is undecided. It could return this Congress and be signed into law, or it could become a lesser priority in an ever-changing federal technology environment. Regardless of what happens, agencies will want to follow the message it sent: CDM has unique value, and agencies should invest in the technology to support its goals.