USA

CISA-signed federal cyber program ensures more than just a nod to the anniversaries gone by

The Continuing Diagnosis and Mitigation (CDM) program celebrated its 10th anniversary last month. And what a long and strange journey it has been!

As government agencies move toward Zero Trust and continue to face evolving cyber threats, it’s clear that the CDM is gaining traction.

Today, the Cybersecurity and Infrastructure Security Agency is positioning the program to bring the level of visibility and proactive response dreamed of by the CDM’s original architects in 2012.

read more

The Continuing Diagnosis and Mitigation (CDM) program celebrated its 10th anniversary last month. And what a long and strange journey it has been!

As government agencies move toward Zero Trust and continue to face evolving cyber threats, it’s clear that the CDM is gaining traction.

Today, the Cybersecurity and Infrastructure Security Agency is positioning the program to bring the level of visibility and proactive response dreamed of by the CDM’s original architects in 2012.

“The CDM was built on the continuous oversight mandated under the Federal Information Security Management Act of 2002 (FISMA). Continuous oversight was important. People talked about it. They did, but they did it in different ways across the private sector, and they did it with very little automation, and certainly no central visibility. , within a component or element,” said Betsy Kulick, Deputy Program Manager for the CDM, at the recent FCW CDM summit. “Most people used to do a manual inventory at the end of the year and rely on spreadsheets to get the big picture in time. In terms of accuracy it couldn’t be better. We did it, we were funded in 2012 and our first efforts around device management primarily tried to standardize continuous monitoring. But in the end, we looked through NIST’s (National Institute of Standards and Technology) Special Publication 800-53 controls to automate it, providing a far more secure way of securing federal private networks. We knew this was an ambitious program and we had been working on it for 10 years.”

And ten years later, CDM programwarts, etc., is widely regarded as a success.

Department of Homeland Security Program started in 2012 We will award 17 companies worth $6 billion.

The idea was borrowed by the State Department, which set up a system to continuously monitor and alert on hardware and software vulnerabilities.

DHS Program updated in 2017 Our current focus is on using system integrators to help groups of institutions with similar needs or similar locations implement approved products to fill specific cyber gaps. to the approach.

Since 2017, institutions have received a suite of tools and capabilities at no cost to increase network visibility through asset, identity, data security, and network protection management tools. CISA also provides both agency-level dashboards and dashboards that provide data to create CISA’s government holistic view. It also helps small and small institutions with a shared services platform.

strong support from Congress

The CDM decade has not been a smooth one. The industry protested the task order. Agencies have expressed frustration on several occasions about delays in obtaining critical toolsets. DHS faced bureaucratic, regulatory and legislative hurdles that needed to be resolved. And then there’s the ever-present aspect of cultural change, trusting CISA to help, but not judging the cybersecurity efforts of individual agencies.

However, despite decades of challenges, the CDM has consistently gained support from multiple government agencies and parliaments.

Congress is unusually supportive of the CDM and actually more broadly supportive of CISA when it comes to federal cyber networks. Since 2012, received by DHS More than $2.36 billion was spent on the CDM in particular. This included a significant portion of his CISA of $650 million he received from the US Relief Plan Act. CISA hopes to receive another $4 billion by 2033 to continue executing and evolving the program.

Source: CISA 2021 Report to Congress.

So what did all that money get?

CISA says the foundation for a more proactive cyber defense is being laid.

Deputy CDM Program Manager Richard Grabowski said agencies are seeing real value in some of the work CISA has led over the last year.

“All we have done in the last 16 months, and for the foreseeable future, is build a coordinated defense posture. ,” says Grabowski. “We have invested in our Elastic Search tools for endpoint detection and response (EDR) technology, and we stand at the forefront of mitigation and coverage by ensuring that all Shadow IT gets some spotlight. And we’re bringing it to other asset classes like mobile.”

The CDM Toolset has helped us with every cyber threat and incident our agency has faced in the last five years.whether it was WannaCry ransomware attack Or Log4J or any number of threats, government agencies, and CISA can leverage dashboards from Elastic to discover more complete data faster.

Dashboard expansion plan

Judy Baltensperger, Project Manager for CISA’s CDM Dashboard, has been working with SolarWinds and Log4J cyber incidents.

“We were able to share with them what CDM data was actually available and what kinds of automated reports we could run. I think,” she said. “We have about 89 dashboards deployed and she reports data on 78 of them. I have reached the point.”

Baltensperger added that the dashboard has impacted the agency’s ability to meet specific compliance requirements and address longstanding cyber hygiene challenges such as patching and asset management.

There are several new capabilities provided by the CDM to agencies to improve this proactive and coordinated defense posture.

One of these, Baltensperger said, is called cross-cluster searching, which allows CISA to look more closely at the state of the agency’s network. This helped during a recent cyberthreat called Open SSL3, which is considered a high-risk vulnerability.

“What you get here is this is federal level, object level data visibility into dashboards. I’m realizing my sexuality,” she said. “Since a few days ago last Friday (October 28th), we have been able to use that object-level data to drill deeper into what we scan. This is augmented by the implementation and enablement of cross-cluster search, but it needs to be improved, but this is a significant improvement.”

Baltensperger added that CISA expects to expand this cross-cluster capability to more institutions in 2023. This is to provide a level of automation in information gathering that accelerates when an agency learns if it has a vulnerability so that it can be remedied to reduce risk.

In addition, CISA has upgraded all agency dashboards to version 6 and added new services under the dashboard to identify agencies using end-of-life products or nearing end-of-life. so that you can replace them and reduce cyber risk.

More institutions moving to shared services

Finally, Baltensperger said another feature gaining momentum is around Dashboards as a Service.

“If an agency doesn’t have their own hosting environment and wants to hand it over to us, our team can do it for a significant cost savings of around $80,000 to $100,000 per dashboard. What we can do is give you access to that dashboard, which means we manage similar types of products, so for products, all infrastructure, storage It means we get paid and we can reuse our labor,” she said. “By essentially being able to build a shared service separately and provide it to all institutions, we have significantly reduced the number of people required to operate, maintain and upgrade a given solution.”

Five CFO Act agencies are using Dashboard-as-a-Service today, with seven or eight more on board in 2023.

“This means that their dashboard has moved outside the boundaries of the system and we are hosting it on their behalf. Now the data still belongs to them. However, all the work is up to our team to operate, maintain patching, respond to operating system patches, and research susceptibility to OpenSSL. are already doing it themselves,” she said. “What we’re doing is just spreading it out to agencies. But that means we’re funding infrastructure. We are able to realize cost savings because we are funding as a service.”

Shared services, reduced costs and, most importantly, improved cybersecurity were the original goal and vision of the CDM. No one claims this is an easy road, and while the CDM is far from perfect, DHS, the State Department, OMB, and many visionaries have made a collective leap into the cyber unknown. So it is clear that government agencies have an advantage.

Governments rarely celebrate program successes, especially cybersecurity initiatives. But CISA, OMB, and all institutions, take a moment and rejoice at what he’s accomplished through his CDM over the past decade, offering one or two smiles.

And I hope CISA will at least prepare a cake to mark our anniversary and celebrate all the good things about our ongoing diagnostic and palliative program.



https://federalnewsnetwork.com/reporters-notebook-jason-miller/2022/11/cisa-signature-federal-cyber-program-warrants-more-than-a-passing-anniversary-nod/ CISA-signed federal cyber program ensures more than just a nod to the anniversaries gone by

Back to top button