System integrators hired to help agencies set up network monitoring tools have spent the pandemic months largely filling IT asset-management gaps, according to contractors and officials associated with the Continuous Diagnostics and Mitigation (CDM) cybersecurity program.
The transition to remote work created new holes in agencies’ awareness of hardware on their networks, said Dan Smith, vice president of the homeland security division at ManTech, one of the systems integrators that works on CDM.
ManTech and other companies found that they had to consider which devices were on federal networks before they could think about other security questions — especially because of the sudden need to protect data on employees’ mobile devices, Smith said. Addressing asset management gaps remains a top concern, especially since the Government Accountability Office found in August that agencies’ hardware counts were inaccurate, resulting in poor data quality that limited the usefulness of CDM dashboards detailing their security postures.
“Asset management turned out to be a pretty big one this year, especially with COVID-19,” Smith said during the Billington Cybersecurity Summit on Wednesday. “A lot of the pandemic response from the agencies we support, most of them moved to a telework posture pretty rapidly, and there was a pretty big shift from traditional network security to endpoint security and making sure things like their [Virtual Private Networks] were configured correctly.”
CDM works with civilian agencies to implement tools that feed data to agency and federal dashboards, informing overall cybersecurity risk management. Filling gaps in asset management — and identity and access management — is a key goal for fiscal 2021 as CDM works to ensure data quality, said Kevin Cox, CDM program manager.
“We want to make sure that the data coming up from the sensors and scanners has good reliability, is being reported in a timely fashion, so that the data is usable,” Cox said.
ManTech works on CDM with the Department of Education, Environmental Protection Agency, Department Housing and Urban Development, Nuclear Regulatory Commission, National Science Foundation, and Small Business Administration, as well as non-Chief Financial Officers Act agencies.
Aside from asset management, ManTech has been supporting agency-specific CDM needs since the pandemic began. That includes helping them downsize their continuous monitoring toolsets to eliminate duplication and overlap.
“Part of where we’ve been trying to go with the agencies, where we’re helping with that architecture, is to help identify what the core technology needs are and then over time rationalize the tool suite so that they’ve got a smaller number of tools that are deployed more comprehensively — providing a better set of data across the board,” Smith said. “That really helps to improve the investment profile for everybody, it keeps [operations and maintenance] costs down, it helps with licensing, and gives them additional resources to invest in areas like data protection management or cloud security brokering.”