The future of the Continuous Diagnostics and Mitigation program remains unclear as early adopters like NASA seek more funding to maintain its cybersecurity tools moving forward.
Started by the Department of Homeland Security in 2012, CDM initially focused on asset and identity and access management across agencies before moving onto network security and data protection.
NASA was one of the first four agencies to adopt CDM in 2013, before the Office of Management and Budget mandated all agencies share information with DHS’s federal dashboard and justify the use of continuous monitoring tools outside the program. But workforce and funding challenges persist, according to government cybersecurity experts Thursday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.
“That’s what keeps you up at night with CDM is that ongoing cost—the refreshes six, seven years down the line—who’s going to take on that cost?” said Willie Crenshaw, program executive for CDM and risk management in the Office of the CIO at NASA. “And if we don’t have an influx of funding at the agency level, then what’s going to happen is CDM is going to be this success story but then is going to fizz out because we weren’t able to maintain it.”
CDM Program Manager Kevin Cox said his office tracks and shares agency cost information with OMB and tries to ensure President Trump’s budget includes funding for new efforts as well as sustainment, which “has worked fairly well.” The program received more funding than requested the last two or three budget cycles, which it spent on data protection and cloud projects, Cox said.
DHS would see flat funding for CDM in fiscal 2020 under the president’s proposed budget.
Currently, CDM spends the money it has on specific technologies and processes within different agencies as “proofs of work” it can spend taxpayer dollars wisely and, if fully funded, successfully perform governmentwide deployments.
“It’s a question of: Will the CDM program become this wider sense of getting full cybersecurity solutions in place across all these different capability areas, or will we be more targeted on high-value assets, specific environments, etc.?” Cox said.
Through September 2019, CDM is focused on helping agencies fill asset management and identity and access management gaps, while also ensuring dashboard infrastructure works to operationalize data on assets, vulnerabilities, configurations and patching via a security-posture algorithm, Cox said.
A new CDM dashboard contract is expected in May that will open agencies up to new tools, analytics and business intelligence, he added.
“If one agency has an incident, there’s a greater likelihood that spreads and gets to other agencies or that it’s happening at the same time across many agencies,” Cox said. “So we wanted to get that visibility.”
When Crenshaw originally approached NASA’s missions about CDM, leadership was opposed.
“They told us, ‘We don’t care what you’re talking about. Kick rocks,’” he said.
Since then, CDM has led to a culture change involving processes, management and policies at NASA because of the agency’s mandate to share data securely, Crenshaw said.
NASA uses CDM Dynamic and Evolving Federal Enterprise Network Defense, or DEFEND, task orders to meet both the program’s requirements and its own as a research agency because “it’s not uncommon to find an Xbox … on a NASA network,” he added.
“[W]e have to guard against nation-states taking certain data from us, and getting in front of us, because we want to be first in getting to the moon and then getting to Mars,” Crenshaw said. “We don’t want to make it easy for other nations to get there before us, and we look around and they’ve got a rocket that looks just like ours.”