Tech

Personal CDM data could be used ‘inappropriately’ when integrators are involved

Third-party contractors are prohibited from using or sharing data collected with CISA in their task orders, but that's no guarantee.

By Dave Nyczepir

January 6, 2020

(Getty Images)

There’s a risk personally identifiable information inadvertently obtained by integrators providing Continuous Diagnostics and Mitigation (CDM) capabilities to small agencies is used inappropriately, according to a Department of Homeland Security assessment.

A December DHS privacy impact assessment found that the CDM platform for smaller agencies exposes personal data to third-party contractors operating that cloud-based shared service.

DHS launched CDM in 2013 to provide federal, state and local agencies with tools to track and respond to cybersecurity incidents faster.

Generally, larger federal agencies deploy CDM capabilities themselves, and the Cybersecurity and Infrastructure Security Agency that oversees the program for DHS only has access to summary-level data pushed to the federal dashboard.

But the CDM Shared Service Platform (SSP) makes tools available to non-CFO Act agencies via third-party contractors, and those integrators do have the potential to access personal data collected through operations and maintenance. Currently, ManTech holds the contract to provide the shared service.

As a mitigation, integrators are prohibited from using or sharing data collected with CISA in their task orders, but that’s not a guarantee, according to DHS.

“As a contractor to CISA, the integrator is required to conduct its activities in accordance with DHS requirements, including having all contract staff complete privacy training,” reads the assessment. “Full disk encryption has been implemented across the entire shared service platform to meet applicable data-at-rest requirements.”

The platform also collects logs at the operating system and application levels, which all users are prevented from erasing.

The CDM SSP’s authority to operate expires March 28, 2021.

DHS also assessed the CDM Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm used to score agencies cyber risk and found the measure doesn’t introduce new privacy risks to the federal or agency dashboards.

Personal CDM data could be used ‘inappropriately’ when integrators are involved

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

DHS launches safety and security board focused on AI and critical infrastructure

Top Stories

ACLU seeks AI records from NSA, Defense Department in new lawsuit

IRS touts Direct File usage, while mulling the future of the program

GSA welcomes nominations for advisory committee focused on federal transparency efforts

Security flaws in IRS systems pose risk to financial statements, GAO says

DOJ seeks public input on AI use in criminal justice system

CISA’s chief data officer: Bias in AI models won’t be the same for every agency

DHS picks OMB official to lead its new AI Corps

More Scoops

How risky is ChatGPT? Depends which federal agency you ask

CISA considering the future state of EINSTEIN as agencies modernize

CISA publishes update to Zero Trust Maturity Model

Insiders worry CISA is too distracted from critical cyber mission

CISA expects most agencies to be deploying endpoint detection by FY23

HHS commits to continuous monitoring, after information security found ‘not effective’

Report: Census Bureau should set timeframes for protecting respondents’ data privacy

Latest Podcasts

Personal CDM data could be used ‘inappropriately’ when integrators are involved

CISA is building an automated ransomware warning program

GSA’s Login.gov platform gets a new director

DOD’s Ashley Elizabeth Evans on effectively implementing AI

Tech

Defense

Cyber

Acquisition