Recent high-profile breaches, such as the SolarWinds attack, and pandemic-driven virtual network expansions have pushed the federal government to build a stronger cybersecurity infrastructure. To keep up with advancing technologies, agencies need to detect security risks faster than ever before.
One solution to this is the Continuous Diagnostics and Mitigation program, which ultimately aims to detect threats at near-network speeds. Operated under the Cybersecurity and Infrastructure Security Agency (CISA), the CDM program is designed to help agencies monitor their IT systems, identify cybersecurity threats and measure the relative risk of those threats.
CDM is among the government’s major investments in cybersecurity. According to the Department of Homeland Security’s Office of Inspector General, the agency spent more than $180 million on CDM developments between 2013 and 2020. It estimates that spending could reach $10.9 million through 2031.
The CDM program relies on tools and sensors that monitor an agency’s system and relay that data to an automated, continuously updated dashboard. Each agency will have access to its own CDM dashboard, which in turn will send summary information to a federal dashboard that the DHS will use to assess the government’s overall security posture.
CDM monitoring covers four core capabilities: asset management, user identity and access management, network security management and data protection management.
There were initial challenges going into CDM, as many agencies didn’t have comprehensive hardware asset inventories, let alone system monitoring.
“It starts with understanding the environment,” said National Geospatial-Intelligence Agency Deputy Chief Technology Officer Chris Johnson at FCW’s Nov. 4 CDM Summit. “You can't contain a threat on a machine that you don't know exists, right? And once you get that machine identified, making sure that it's sending the appropriate data to your monitoring platforms is critically important.”
Johnson explained that, on average, it takes about three months to detect and contain a cybersecurity breach — whereas it takes a sophisticated adversary only 60 minutes to break out and access the broader network. CDM aims to bridge that gap, but it will require a strong data management strategy.
“You have 60 minutes for that initial breach time to identify the fact that you've been compromised and then contain that threat, or they can pivot and move laterally anywhere in your environment,” Johnson said. “So, three months to less than 60 minutes, right? That's the goal, that's the challenge — and we can't do that without good data.”
Improved threat detection will also aid officials in making risk-informed decisions. Agencies will be able to prioritize their mitigation and remediation efforts more effectively, resulting in a more secure system.
Another major goal of the program is to promote agencies' awareness of how their security systems are performing. To accomplish this, dashboards will report mitigation efforts in addition to risks and threats. Using data collected by CDM monitoring tools, the dashboard will calculate an “agency-wide adaptive risk enumeration” score. Each agency will receive this AWARE score that assesses how their security posture compares to federal benchmarks.
Another benefit of the CDM program is that it has the potential to help relieve agencies’ reporting burdens. When properly implemented, the program can help agencies use the CDM data to inform the annual reports they’re required to file in compliance with the Federal Information Security Management Act (FISMA).
The Push for CDM
The federal establishment of CDM began in 2012, when the Office of Management and Budget identified the continuous monitoring of federal IT networks as a cross-agency priority goal, in accordance with the Government Performance and Results Modernization Act. From there, DHS established the CDM program to support federal departments and agencies in meeting the goal.
In 2013, DHS and the General Services Administration announced a five-year, $6 billion-dollar blanket purchase agreement for Continuous-Monitoring-as-a-Service (CMaaS) to deliver diagnostic sensors, tools and dashboards to agencies. Despite this financial commitment, the implementation of CDM was slow going until a White House executive order kicked the process into high gear earlier this year.
Plus, with the coronavirus pandemic and recent high-profile breaches, agencies are taking a hard look at their systems security to adapt networks for a more diffuse workforce.
“The pandemic and the move to remote work has increased the attack surface, and it absolutely increased the utilization of cloud,” said Director of IT Security in GSA’s Federal Acquisition Service Lawrence Hale at the CDM summit.
The biggest push for enhanced cybersecurity came this past May, when President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The order stipulated that, within 75 days, federal agencies were required to establish or update their Memoranda of Agreement with CISA and get with the CDM program.
With the lapse in OMB’s Oct. 29 deadline for dashboard deployment, challenges around available resources and infrastructure set CISA back. The agency will be deploying the remaining dashboards over the next calendar year.
“The first obstacle is agency resources,” said CISA CDM Dashboard Project Manager Judy Baltensperger at the summit. “We and all of the agencies have received a ton of guidance through cyber executive orders, OMB mandates and data calls. We realize everyone is seeing those all at the same time, so the few resources that are available are stretched very thin. … The second challenge we had was probably infrastructure. Several of those agencies had initially chosen to do on-premises environments and they were not prepared to do [dashboard] deployments in the cloud.”
As of Nov. 4, Baltensperger reported that 56 agencies were operating on the newest dashboard release. CISA’s current objective is to deploy the dashboard to 102 agencies, and she estimated that they were on target to hit 95% of that goal.
Zero Trust and Endpoint Detection and Response
The CDM program and the basic objective that it’s based on — continuous monitoring — aligns with what the federal government has identified as one of its guiding cybersecurity philosophies: zero trust.
Last June, CISA released a Zero Trust Maturity Model draft that identified five pillars of zero trust approaches. At the summit, CISA Branch Chief for Strategic Technology Martin Stanley explained that CDM can help agencies establish a zero trust framework.
“I think, if you look closely at those [zero trust pillars] — from identity to data to network, across the entire spectrum — it's clear the alignment with the CDM tools and capabilities,” Stanley said.
Beyond comprehensive monitoring, the CDM program ultimately aims to enable cyber threat remediation. Consequently, CDM is frequently discussed alongside endpoint detection and response platforms.
While endpoint detection and response solutions are packaged within the CDM program, which monitors physical assets and more, the White House’s executive order instructed Federal Civilian Executive Branch agencies to bolster their own endpoint detection and response capabilities while CDM is still being implemented.
While CDM implementation is underway, OMB has issued hard deadlines to CISA and federal agencies for expanding their current endpoint detection and response capabilities.
OMB’s Oct. 8 memorandum gave CISA a 90-day deadline to develop a way to monitor the performance of agencies' current endpoint detection and response systems and, in collaboration with the Chief Information Officers Council, make recommendations for accelerating their implementation across government. CISA also has 90 days to publish a "technical reference architecture and maturity model for agency consumption” and 180 days to develop a best-practices playbook for endpoint detection and response. Agencies were given a 120-day deadline to analyze the effectiveness of these systems and identify any gaps.