A strong cybersecurity posture often comes down to data quality and organizational culture, which is especially important to keep in mind when participating in CISA’s Continuous Diagnostics & Mitigation (CDM) program.
At an FCW Summit on CDM, officials from the General Services Administration, Small Business Administration and Citizenship and Immigration Services discussed the lessons learned from CDM and highlighted best practices.
Shane Barney, USCIS CISO, said federal agencies need to let data “drive” decision-making and make the CDM program work for them.
“Make sure you approach it that this is just different. It's not like your data centers, it's just not. Your boundaries no longer exist, and that's the big thing with zero trust, is this loss of boundary along the perimeter. Taking that approach is really really important for us,” he said. “We're very heavy into Agile development, so driving a more Agile version of CDM to adapt and change and meet those oncoming risks, that's where we need to start pushing towards.”
Barney said authentication and cultural change are two key elements for making CDM work for federal agencies.
“The importance of authentication, that can't be overstated, that's the most important thing you can get right out of the gate. [If not], you've not just lost the battle, you've lost the entire war,” he said. “Another piece is helping agencies drive that cultural change that has to go with it. During the cloud, it's also a cultural change and how risk plays a role in all of this. CDM relies heavily on tools and tools is not the right discussion.”
Pranjali Desai, CDM program manager at GSA, emphasized the importance of high quality data when using CDM. Without good data in the system, you don’t get accurate results.
“Without timely and accurate data, making accurate risk-based decisions would be hard to do,” Desai said at the FCW Summit. “The ultimate goal for the agencies should be able to use CDM data for FISMA reporting … and ensure timely mitigation. With the latest iteration of the CDM dashboard, it provides more scalability and the mosaic visualizations. There are local customized visualizations, and I think that's really important for all the security stakeholders and authorizing officials. The rich data available within the CDM dashboard can give us the full authorization picture.”
Taking the time to ensure your organization identifies the right data for the CDM dashboard is also critical to making the most of CDM.
Since SBA collects a lot of sensitive information and personally identifiable information from small businesses, securing that data is a top priority for the agency, said Trafenia Flynn Salzman, a security architect at the agency. But if the agency keeps an incomplete or inaccurate record of that data, it can’t properly protect it.
“To protect, we have to define what data is important and what's not important,” Salzman said at the summit. “We use a lot of automatic capabilities because, due to the recent events and also what we do, we deal with a lot of sensitive data. We want to make sure we classify the data appropriately. CDM allow[s] us to have that visibility we need.”
Barney encouraged federal agencies to make changes to their CDM dashboards so the dashboards fit agency-specific missions as exactly as possible.
Federal agencies shouldn’t fear tweaking and adjusting the dashboards to fit their unique needs and requirements, he said, because CDM will provide tools and visualizations that are only as good as the data input.
“In traditional data centers if you have a top secret spill, policy-wise, you destroy everything,” he said. “Amazon or Google or Microsoft, they're not going to be too keen on you coming into their data centers and destroying stuff, they probably won't let you in. So USCIS built a system that does this to take care of a top secret spill. We're still working on some of those solutions around this, we haven't solved the data spill in a data center, that's a different type of challenge. ...I really strongly believe CDM, it's a good thing going forward. There's going to be changes made, it's what it's all about. CDM has got to change to meet that.”