The goal of the Continuous Diagnostics and Mitigation (CDM) Program is for all civilian agencies included in the program under the Chief Financial Officers’ (CFO) Act to feed data to the federal government-wide cybersecurity threat dashboard. With each individual agency’s information compiled, the dashboard consolidates threat information from individual agency feeds to give an overall understanding of the cyber risks facing civilian agencies and enables them to prioritize the most critical issues.
We recently spoke with Aaron Gosney, MSNS CISSP CEH, senior consulting engineer for RedSeal, who has 20 years in information assurance and IT consulting for the federal government, about CDM and CDM Dynamic and Evolving Federal Enterprise Network Defense (CDM DEFEND), which are run jointly by General Services Administration (GSA) and the Department of Homeland Security (DHS).
As Gosney pointed out, a priority for CDM is to help federal agencies become more digitally resilient. “Resilience is not just being able to prevent attacks, but to also be able to respond and return to normal operations with a secure network and be ready for the next time an attack occurs.”
The CDM / CDM DEFEND programs are important for federal agencies because, according to Gosney, they provide hardware, software, and services to federal civilian agencies to develop a more robust cybersecurity program that is not just set up to try to prevent compromises, but to effectively respond.
“The program provides key information to agency leadership through the dashboard on the overall health and status of each agency. The dashboard gives DHS an idea of where there are weaknesses and the opportunity to share intelligence as new vulnerabilities come out,” he explained. “Not only will they have a better understanding of both agency and overall risk, they also will see new threats quickly and be able to address them across all of the agencies. It is breaking down silos, which is an important goal for the federal government.”
To help agencies become compliant CDM has been broken down into phases to address key areas important to building a robust cybersecurity program.
There are four phases in total:
Phase 1: What is on the network, including status / state?
Phase 2: Who is on the network?
Phase 3: How is the network protected? What is happening on the network?
Phase 4: Protecting data on the network.
“The phases address the core components of both operations and security,” Gosney said. “Starting with Phase 1 you need to know what’s on your network before you can even begin to develop a more robust security posture. Then you need to understand who is using the devices you have identified, whether individuals will be logging onto the network to use them, and what entities are actively using them. Phase 3 is understanding how the network is protected, whether encryption is being used, if there is segmentation between devices, among other important steps.
“In Phase 3, the agency can look even further into the network traffic and logs to get a much better idea of what actually is happening on the network and what is and isn’t allowed. This helps them to respond much more quickly when something that is a deviation from what is expected occurs,” he explained.
“Phase 4 is one of the most important steps, because agencies are identifying what data is most critical and making sure they know exactly where it is and can ensure that it is protected from any device or person who is not allowed to access it,” Gosney shared. As each agency moves through these phases they will gain a much better understanding of their network, what is happening on it, and how to best protect and respond to any incidents.
Gosney said that with all 23 CFO Act agencies now exchanging data with the CDM dashboard, the federal government is poised for a big improvement in its information assurance and resilience postures.
“Having a visual map of how all of these devices are interconnected and the controls that exist between them is crucial, especially for larger agencies that span multiple locations,” he explained.
“However, the phases don’t address visualizing the network itself. Currently, we have phonebooks worth of data. Without a map to review, it’s hard to clearly visualize the location and connectivity of the devices, as well as identify areas that may be missing,” Gosney concluded. Now that agencies are on the right track towards a robust cybersecurity posture, it’s time for agencies to fine tune their strategy, fill in the information gaps, and become resilient in the face of never-ending threats.
Want to learn more about becoming digitally resilient? You can do that here.