Continuous Diagnostics and Mitigation, fondly referred to as CDM, is a familiar term for federal agency security teams and leadership. The original intent of the CDM Program was to help federal agencies improve their security posture, providing technical capabilities to minimize cybersecurity risk. In practice, however, the focus has shifted more towards simply collecting and reporting security related data from the agencies to DHS. The intended security outcomes, therefore, have yet to be realized. The bottom line: there is way more value to be gained from this program, for both DHS and the primary stakeholders, the agencies themselves!
A Quick Trip Down Memory Lane
The CDM Program originated about 10 years ago, when DHS first assumed the primary responsibilities for government wide and agency-specific cybersecurity. The publication of OMB Memo 10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS), officially solidified this new mission for DHS. DHS immediately revamped FISMA reporting from static, policy related metrics to more technical metrics around a key set of technical capabilities that, once implemented, would greatly improve agency defensive postures. They built a semi-automated reporting capability called CyberScope to collect data feeds from these technical capabilities in an attempt to minimize inaccurate and costly manual reporting. The concept was that in order to provide these data feeds, agencies would have to implement the required capabilities, which would greatly improve their operational security posture.
CDM is Born
In an effort to assist agencies and address challenges they were having implementing these new technical capabilities, the White House Cybersecurity Coordinator and DHS held a series of data-driven review meetings with agency CIOs and CISOs, which federal agencies dubbed “CyberStats.” These White House meetings produced a key, though not surprising, finding as to why agency CISO’s were not adopting the new technologies: lack of funding. Armed with this information, the White House cybersecurity leaders sought and found a significant amount of funding that they made available to accelerate agency progress. The funding would create a new DHS program to centrally assist agencies with improving their cybersecurity posture and ultimately achieving continuous monitoring of key technical capabilities. This was the beginning of the multi-billion dollar CDM Program.
Current State
Fast forward to today. Progress has been made, but there is much more to be done towards achieving CDM’s goals. Per a recent GAO report, agencies have yet to successfully implement all key CDM program requirements. There have also been prevalent and ongoing issues with the CDM dashboards, delaying reporting and providing very little value towards enabling agencies to mitigate the risk uncovered by the technologies deployed. On the plus side, Splunk was selected independently by each of the CMaaS providers and deployed as the integration layer for CDM. Various other tools have been purchased and deployed, but it isn’t clear whether agencies are getting any real benefit.
Are CDM capabilities enabling agencies to drive down high severity vulnerabilities and reduce misconfiguration? Are they monitoring privileged user activity, monitoring credentials and privilege escalations? The hyper focus on reporting data to DHS appears to have overshadowed the original goal of enabling agencies to improve their security posture. Agencies should be the primary beneficiaries of CDM, but instead, they have seen very little value to date. That doesn’t mean the program is a waste, however. Success is more possible than ever.
Realizing Agency Value from CDM
The best way for agencies to derive value from CDM is by adding agency specific capabilities to their existing CDM Splunk infrastructure that actually enable their CDM and compliance personnel to act on the data and perform the full set of risk mitigation and even compliance related activities. This would be a huge and immediate win for both DHS and the agencies.
Using commercial off the shelf (COTS) solutions like Qmulos’ Q-Compliance and Q-Audit, agencies can make CDM and other data sources work for them to fully support agency risk mitigation and compliance activities. As an additional benefit, since CDM requires a subset of the data you already need to meet your mandates around FISMA/RMF, agencies can automate both compliance processes simultaneously. With Q-Compliance, security leaders can quickly organize all of their data by internal organization and FISMA system boundaries, apply pre-built analytics, and get right to work on mitigating actual risks. Users can view AWARE scores and drill down into specific assets to start fixing the riskiest assets first. Q-Compliance users can also view scores by individual NIST controls and similarly drill down and take action to mitigate identified risks.
By leveraging the CDM infrastructure and adding a COTS solution like Qmulos, agencies gain control over their AWARE scores and simultaneously automate RMF tasks to quickly achieve ongoing assessment, ongoing authorization, and continuous monitoring for all FISMA systems in a very short time frame. Organizations can build their own solutions or visit Qmulos, who already did the heavy lifting to provide fully supported, off the shelf solutions with all of the pre-built dashboards, analytics, and workflow features needed to realize this value in short order.