Despite delays in the rollout of a cyber security program that is meant to provide greater visibility and security of federal networks, so far the Continuous Diagnostics and Mitigation (CDM) program is making progress, industry officials told a House panel on Wednesday.
The initial phase of the CDM program began in Jan. 2013 with tools to help federal agencies better understand what is on their networks and the second phase kicked off in June 2016 with tools to manage who is on the networks.
“The CDM program has made significant progress over the last several years in providing federal agencies with capabilities that identify cyber security risk on an ongoing basis, prioritize those risks based on potential impacts, and enable cyber security personnel to mitigate the most significant threats first,” Frank Dimina, vice president of Federal for the cyber security software firm Splunk, Inc., told the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
There are four phases to the CDM program. The third phase is in procurement cycle and involves tools for understanding what is on federal networks. Requirements are still be developed for a fourth phase “but DHS has indicated that it will focus on how data is protected through technologies such as micro-segmentation, digital rights management, and other advanced data protections,” Gregg Mossburg, senior vice president for Strategic Operations at the U.S. federal business of Canada’s CGI Group [GIB] said at the hearing to examine the program.
The Department of Homeland Security (DHS) is managing the CDM program and works with federal civilian departments and agencies to deploy the appropriate tools to meet their needs.
Dimina said the Phase One deployments have allowed some federal agencies to identity endpoints on their networks and uncover additional endpoints that they didn’t know about.
“As a result, those agencies are now carrying out efforts to bring those endpoints into the program,” he said.
Still, Trey Hodgkins, senior vice president for Public Sector at the Information Technology Alliance for Public Sector, told the panel that “we do not believe the government has total visibility into the assets it possesses on its networks and systems,” adding, it doesn’t “understand everything it owns.” He recommended that agencies should “keep track” of the assets it buys and deploy as “it buys them.” He said the government’s current procurement systems don’t inventory the things it buys.
Dimina said that “continuous monitoring should be looked at as a journey, not a destination,” adding that even though “visibility is not complete, but there’s a solid foundation for a cyber security program here.”
In addition to the various tools that inventory, manage network privileges and monitor network traffic, the CDM program includes agency and federal dashboards.
Rep. Cedric Richmond (D-La.), the ranking member on the subcommittee, said in his prepared remarks that currently 20 agencies have deployed internal dashboards and two are connected to the federal dashboard. He said that in February, all 24 departments and agencies targeted by DHS will be connected to the federal dashboard.
“As more agencies connect to the federal dashboard, DHS will have greater visibility across federal networks and will be better positioned to identify and mitigate malicious activity, including complex, coordinated attacks,” Richmond said.