The first phase of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) blanket purchase agreement (BPA)is “effectively identical” to the first four items on The Critical Security Controls for Effective Cyber Security version 5.0, according to Tony Sager, Chief Technologist for the Council on CyberSecurity and former COO of the Information Assurance Directorate at the National Security Agency.
“The way we refer to those four [is] foundational,” Sager said. “By itself, hardware and software asset management … won’t stop

all the attacks, but they’re foundational because you can see what’s going on. If you need to recover from a bad thing, you need to know what was there. You have to do them. And you want to do them in a way that’s cheap. You don’t want humans running around with clipboards” counting devices.
The first three items on the SANS list – inventorying authorized and unauthorized hardware on a network, doing the same for software, then establishing and maintaining secure configurations for them on servers, workstations, laptops, and mobile devices – are not just security-oriented activities, Sager said, but a mix of security and operations measures that address the “hygiene” of the systems. The fourth SANS item, continuous vulnerability assessment and remediation, begins to focus on cybersecurity specifically.
“You’d be surprised how many agencies don’t have these in place,” he said. “They didn’t have the money, or they’re only a patchwork.” He said the federal government has to be viewed as a total enterprise, since all its systems are interconnected one way or another. “Each agency can try to solve the issues by its lonesome, but we’re all connected, none of us are immune, and mostly we don’t know who we’re connected to … That means everyone has a shared risk, so we all have to do things together.”
Sager is supportive of the intent of the BPA. “I would say that CDM is a start. There’s no magic in this business, buying these tools off the BPA won’t make these problems go away,” he said. “But if you put the foundational technology in place that everybody needs, [it] frees up time to address the things that make more sense” to invest scarce resources in addressing.
From this point on, as DHS adds phase two of the CDM BPA, the tools and services won’t follow the SANS list so neatly, but that’s because once the foundational issues are resolved, government agencies have different priorities than the global community as a whole, he said.
“Access control, privilege management credentials, those are very high on the government’s [to-do] list … There is no 1-to-N list that suits everybody,” he said.