A Department of Homeland Security program designed to shore up network cyber defenses of federal civilian agencies continues to lag in implementation, specifically within the department itself, the DHS Office of Inspector General (IG) says in a new report.
The report says the DHS, which designed the Continuous Diagnostics and Mitigation (CDM) program to help protect against cyber threats inside government networks, has made halting progress in implementing the program within the department. Moreover, the IG said it identified vulnerabilities in CDM capabilities due to unclear guidance not following through on requirements.
“DHS initially planned to deploy its internal CDM solution in three phases by 2017 using a ‘One DHS’ approach that restricted components to a standard set of common tools,” says the report, DHS Has Made Limited Progress Implementing the Continuous Diagnostics and Mitigation Program (OIG-21-38). “After this attempt was unsuccessful, DHS adopted a new acquisition strategy in 2019, shifting to a capability-driven implementation approach, pushing the deadline to 2022, and allowing components to utilize existing tools to collect CDM data.”
The report says that DHS has an internal CDM dashboard, which provides visibility into networks and allows for the monitoring of threats and vulnerabilities on networks, but as of March 2020 “reported less than half of the required asset management data.” It also says that DHS has to upgrade its dashboard to be able to have the capacity necessary to monitor the networks of its various components.
The dashboard included data on 40 percent of hardware assets, 24 percent of software assets, 18 percent of configuration settings and 16 percent of vulnerability management, the report says.
“Until these capabilities are complete, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time,” the IG says.
The report also uncovered “critical and high-risk vulnerabilities” on CDM assets such as unclear patch management responsibilities and unimplemented configuration settings.
Between 2013 and 2020, DHS had spent $180 million on its own CDM program, the report says.
DHS concurred with the three recommendations made by the IG, including updating the CDM dashboard to a scalable platform, reducing vulnerabilities on CDM assets, and defining patch management responsibilities for CDM information technology assets.
In responses included in the report, DHS says that as of January 2021, the office of the chief information security officer had transitioned the dashboard to a scalable platform and the vulnerabilities on CDM assets were corrected as of November 2019. DHS also said that as of July 2016, it had defined patch management responsibilities for the CDM IT assets.