Federal civilian agencies are increasingly realizing that the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program is the cybersecurity strategy of their future. As such, information technology (IT) leaders and agency heads need a solid foundational understanding of CDM and how to implement it.
DHS is a key mover for the adoption of DevSecOps methods, which require thinking about application and infrastructure security. As the name implies, CDM demands continuously monitoring networks and rapidly diagnosing and mitigating cybersecurity threats. In partnership with the General Services Administration (GSA), DHS created CDM-focused blanket purchase agreements under GSA Schedule 70 in 2013, and has only increased its commitment since then through additional and ongoing programs.
Meanwhile, legislation and regulations—most notably Office of Management and Budget Memorandum 19-02—are further pushing federal agencies toward using CDM to meet security requirements. Section III of that document urges federal agencies to work closely with DHS to “accomplish CDM program goals at the agency level,” and puts DHS in charge of maintaining a dashboard providing situational awareness of the federal government’s cybersecurity posture.
Phasing out phases
The CDM program includes four broad categories of monitoring and threat mitigation:
1. Asset Management: What is on the network?
2. Identity and Access Management: Who is on the network?
3. Data Protection Management: What is happening on the network?
4. Network Security Management: How do agencies protect data on the network?
DHS awarded the initial task orders for the first two categories some time ago, characterizing them as phases. However, because attack vectors and exploit methods are constantly changing, it is imperative that federal agencies be protected in an evolving threat environment. Defenders often have limited visibility into the attack space and the highly-trained, quick-thinking professionals needed to protect the front lines are in short supply.
In this threat environment, speed and agility are of paramount importance. CDM is an answer, but it’s clear that DHS is not thinking of it as a phased approach anymore; federal agencies must approach it holistically, with all four categories in play simultaneously.
Now that the Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) program is in place, and given that available technologies are constantly evolving, federal agencies and their industry partners are using this holistic approach for cybersecurity defenses and visibility. DEFEND fills gaps left by the original task orders, and moves the program forward into more advanced work.
Think of cyberattacks as a new kind of arms race—one in which we can assume attackers have virtually limitless resources and, often, a great degree of talent for defeating defenses. Defenders are in a less enviable position. Deploying CDM addresses many of the vulnerabilities, but agencies have to do it effectively and quickly to improve their security posture.
As an architecture, CDM should be as automated as possible. CDM is primarily concerned with the flow of data from sensors to dashboards, comparing the ideal state of security to the actual environment. This provides timely and accurate security posture data for assessing risk. By using a machine-readable policy engine, an organization will end up with a system that can transmit data, interpret it through a rules engine and apply the called-for mitigation measures based on established policy, all without human intervention. This, in turn, reduces risk.
As a systems integrator for CDM, CGI Federal understands that every environment is different. Agency leaders can’t assume that what worked well for another agency—one of a different size, with a different risk profile and a different mission—will necessarily work for them. Instead, they must assess their own situation and develop their own solution.
To find out more about CGI Federal's expertise in CDM, download our brochure, "CDM cybersecurity solutions."