There’s a risk personally identifiable information inadvertently obtained by integrators providing Continuous Diagnostics and Mitigation (CDM) capabilities to small agencies is used inappropriately, according to a Department of Homeland Security assessment.
A December DHS privacy impact assessment found that the CDM platform for smaller agencies exposes personal data to third-party contractors operating that cloud-based shared service.
Generally, larger federal agencies deploy CDM capabilities themselves, and the Cybersecurity and Infrastructure Security Agency that oversees the program for DHS only has access to summary-level data pushed to the federal dashboard.
But the CDM Shared Service Platform (SSP) makes tools available to non-CFO Act agencies via third-party contractors, and those integrators do have the potential to access personal data collected through operations and maintenance. Currently, ManTech holds the contract to provide the shared service.
As a mitigation, integrators are prohibited from using or sharing data collected with CISA in their task orders, but that’s not a guarantee, according to DHS.
“As a contractor to CISA, the integrator is required to conduct its activities in accordance with DHS requirements, including having all contract staff complete privacy training,” reads the assessment. “Full disk encryption has been implemented across the entire shared service platform to meet applicable data-at-rest requirements.”
The platform also collects logs at the operating system and application levels, which all users are prevented from erasing.
The CDM SSP’s authority to operate expires March 28, 2021.
DHS also assessed the CDM Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm used to score agencies cyber risk and found the measure doesn’t introduce new privacy risks to the federal or agency dashboards.