America’s space agency started implementing in November the first phase of the Continuous Diagnostics and Mitigation program designed to give agencies the tools they need to identify, prioritize and tackle cybersecurity risks, a NASA official told FedScoop.
Not only is that implementation going well so far, NASA’s CDM program executive said, but phase two is, also. The Department of Homeland Security and General Services Administration-led program is finally giving the agency a way to tackle a long-recognized need for better security tools, said Willie Crenshaw, CDM program executive in the IT security division of NASA’s Office of the Chief Information Officer.
“That’s been a long-standing issue in the past, both when I was a contractor to the federal government and now being a federal worker. It was always: we know what’s out there, we know the tools are available, we know the capabilities are available, but the budgets weren’t always there,” Crenshaw said. “And then also, technology changes so quickly, that you buy a tool and then by the time you buy it and implement it, it’s pretty much obsolete.”
But CDM, Crenshaw said, seems to be tackling those problems.
“We get best-of-breed tools, we get top-notch tools, we’ll be able to implement in our environment,” he said. “But not only did they provide us tools, they provided services for us as well as a federal agency to integrate those tools. So they did listen.”
NASA anticipates being done with phase one by the end of fiscal year 2017, Crenshaw said in an interview with FedScoop.
“The first phase of CDM focuses on endpoint integrity: management of hardware and software assets, configuration management, and vulnerability management, which are foundational capabilities to protect systems and data,” according to the DHS CDM webpage.
The biggest hurdle to overcome, according to Crenshaw, was really understanding the scope of the work to be done.
“It’d have been difficult to cover the entire agency if we had not had something driving this, and CDM has been driving us to get these capabilities in place,” he said.
As due to the sheer size of the agency, Crenshaw said the team is going to be finding out some things as it goes through deployment.
One of the first agencies to sign on to implementing the program, NASA assembled its own team to tackle implementation, Crenshaw said. NASA has a standing working group with representation from all across the agency to get a handle on requirements, share information and address any snags during the process with DHS.
“The main thing is we don’t want to break anything,” Crenshaw said.
Another crucial piece to implementation is communicating plans at all levels of the agency — even up to NASA’s administrator, Crenshaw said. But taking the time to communicate with everyone also gives the team an opportunity to educate the end user, Crenshaw said, the main entry point into a network.
“When you educate people as to — here’s what we’re trying to do, here’s what we need to protect, here’s what we’re protecting, you kind of learn a lot more about the organization as a whole because now you know what you’re protecting and know what work everyone is doing,” he said.
One of the big upsides of the project: “I’m learning exactly what each mission does, and how they’re operating, what’s important to them,” he said. “And you can see what your crown jewels are for your agency and for your corporation, and protect that.”
NASA’s implementation is divided into deployment on the corporate side, and then on the mission side. The mission side is more difficult, Crenshaw said, because of its tight schedule for space launches.
“We’re poised here within the next month or two to deploy to our corporate side, and then later on this year we would have all of NASA covered for phase one, task order two,” Crenshaw said. “And that’s pretty much the heavy lift with CDM. But the CDM program is big — it’s going to take a number of years to get it done. So we’ve already started some additional activities on the phase two stuff.”
Overall, Crenshaw said CDM is a “good program” that government needed.
“The tools are working very well together, the Gigamon, as well as the RES and all those tools are working well together to give us what we need,” Crenshaw said. “So we’re just excited about where we’re are, and as we continue to deploy we’ll make sure that we’ll get the data and start feeding it to DHS is the way that the program’s intended to work.”
Crenshaw said he is excited to see the data the tools will bring, and the capabilities that will help NASA respond in a more anticipatory way to threats. As he put it: “Be on the offense instead of always on the defense.”