The potential for the new Continuous Diagnostics and Monitoring blanket purchase agreement (CDM BPA) to change cybersecurity – both policies and practices – throughout government agencies is vast. But it still falls short of addressing the fundamental cybersecurity challenge of the Internet age: Anticipating where security problems will occur, rather than reacting after the fact.
“I long for the day when security tools can keep up with technological developments,” Rod Turk, CISO and director of the Office of Cyber Security at the Department of Commerce, told the audience at the April 8 FedInsider Executive Leadership Forum hosted by immixGroup on Improving Cybersecurity and Resilience Through CDM.
But while that longed-for day may never come, Turk, Eduardo Cabrera, Assistant to the Special Agent in Charge, U.S. Secret Service, and Mark Kneidinger, senior advisor, Cybersecurity and Communications, Department of Homeland Security, agreed that the BPA will improve agencies’ security posture.
Kneidinger noted that the BPA already is introducing private sector best practices, since it includes commercial-off-the-shelf packages that have proven their worth. The creation of an “early engagement group” that includes representatives from all agencies participating in the BPA is a second way for best practices and lessons-learned to be shared. Of the 124 Executive Branch agencies, he said, more than 96% have signed a Memorandum of Agreement to participate.
Just as important, the CDM BPA also is open to state, local, and tribal governments, creating the opportunity to spread best practices far beyond the federal level.
“I’m talking to 36 states,” Kneidinger said, “and their level of [collective spending] is greater than the federal government’s.” He said he’s had conversations with eight other nations and inquiries from the U.S. industrial base, all interested in the CDM BPA’s range of offerings.
Phase 1 of the BPA, now in use, does not address cyber security in either mobile or cloud environments, Turk said. While at some point CMD may include tools for monitoring cloud activities – “or as much as the vendor will allow,” he said – mobile is a different challenge because there are so many devices from so many providers.
The U.S. Secret Service is in somewhat a different position than other agencies, Cabrera said. The agency has primary responsibility for financial crimes, including those committed via the Internet. While the agency will use the sensors, tools, and services offered through the BPA, it also always looks for technologies that not only improve the detection of cyber attacks, but include analytics that would give the agency the ability to connect multiple attacks and multiple victims.
The award of the CDM dashboard contract in March will accelerate the ability of CISOs and CIOs to know how their networks are faring and where to focus their time and resources.
“The dashboard helps set priorities,” Kneidinger said. For instance, using a security dashboard will enable significant automation of the FISMA compliance process, he said. “There are 15 categories of cybersecurity coverage [included]. Not all FISMA reporting can be automated, but a lot of it can. And the money saved, [the Office of Management and Budget] lets the agency keep it.”