Research Report

CDM Rollout Pressured by Increasing Threats

The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program was first launched several years ago. This was a major factor in the push to strengthen the overall security of government IT. Events of the past year have only increased the pressure for a faster rollout.

There were several sophisticated attacks on government agencies this year, but the most damaging was clearly the one suffered by the Office of Personnel Management (OPM). It was officially reported by the agency in June 2015. Analysts now suspect it may have been present in OPM networks for at least a year prior to that, however, and perhaps even longer.

By the time all attack assessments were complete, more than 20 million federal employee records are thought to have been compromised. Attacks at the Internal Revenue Service and other agencies also recently exposed hundreds of thousands of records.

Attacks on the Rise

In a recent report on the progress of the Federal Information Security Modernization Act (FISMA), the Office of Management and Budget (OMB) states that despite “unprecedented improvements” in securing federal information resources in FY 2015, greater numbers of attackers still managed to get into government networks and systems. Agencies reported more than 77,000 incidents, representing a 10 percent increase over the previous year.

The OPM attack was suspected to have been launched by a Chinese, state-sponsored hacking group using OPM employee access credentials obtained through a phishing exploit. Part of the CDM program is designed to combat precisely that type of attack, providing agencies with tools to improve access controls. The CDM program was originally expected to deliver those tools to agencies by the end of 2017. Given the nature and extent of the 2015 breaches, though, and the expectation that those types of attacks will only increase in number and severity, this may not be fast enough.

In an April 7 letter to Shaun Donovan, director of the OMB, Sen. Tom Carper (D. Del), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, says that while federal agencies are under “a constant, yet evolving” threat from cyberattackers, flaws in the federal acquisition process can limit the tools agency defenders can obtain to counter these threats.

In terms of the CDM program, he says, agencies can partner with the Department of Homeland Security (DHS) to deploy cybersecurity tools and services while saving taxpayer dollars by leveraging government-wide buying power and buying in bulk. It’s starting to deliver those tools and services directly to agencies.

The slow pace of the CDM program rollout has been a concern of many people almost from the beginning. In an interview on a comprehensive 2014 report put out by the SANS Institute, John Pescatore, director of emerging security trends at SANS, points out that from the procurement side; it’s harder than it should be for agencies to buy tools from the CDM program.

“The bottom line is that capabilities are badly needed by government agencies,” he says, “but (the program) is not moving quickly enough.”

DHS secretary Jeh Johnson, in his final state-of-the-agency speech earlier this year, says the program has provided needed sensors to some 97 percent of the civilian agencies during 2015. In 2016, he says, the second phase of the program will focus on providing tools to manage access privileges and device configuration “to 100 percent of the federal civilian government.”