Federal agencies as a group are “close” to completing work to put in place the first two of the Continuous Diagnostics and Mitigation (CDM) program’s four key capabilities, said Betsy Kulik, senior advisor for the Cybersecurity and Infrastructure Security Agency’s (CISA) CDM program, at a November 4 online event organized by FCW.
The CDM program’s four broad capabilities are asset management; identity and access management; network security management; and data protection management.
Implementation of the program’s capabilities has been a long campaign for many Federal agencies over the past several years, and recent Biden administration directives to improve Federal civilian agency cybersecurity – helped by more funding for CISA under the American Rescue Plan Act – are working to hasten agency progress with the program.
Noting that the CDM program was established in 2012, Kulik recalled that the program originally – and “aggressively” – thought that agencies could implement the first two program capabilities each in one year.
“That has not been the case, we’re still working on it,” Kulik said.
“But we’re close to completing baselines for both asset management and identity access management across the dot-gov, and these are two really essential tenants to lead to zero trust architecture,” she said.
“Getting these foundational capabilities really structured and operational is really key to further, more mature capabilities” that would fall under the CDM program’s third big capability – network security management, “which is where zero trust would actually be found,” she said.
Kulik said the CDM program has been doing “some work” with agencies on the fourth program area – data-protection management – but said those efforts are “really dependent on agency readiness.” She added, “as agencies are prepared to do data protection management, we are able to offer them services in that area as well.”
Kulik also delivered an encouraging review on the performance of the CDM program’s upgraded dashboard ecosystem that it uses to handle data generated by program deployments on agency networks and deliver that data both to agency IT leaders, but also to CISA to inform the agency’s government-wide security view and threat hunting capabilities.
Federal CFO Act agencies, she said, are “in various stages of deploying this new dashboard, and the performance parameters we’ve seen so far have really been very exciting.”
“We were hampered with our original dashboard with a mismatch between what the dashboard was, and what the requirements were,” Kulik said. “This one is much more scalable … the performance so far has shown it to be much faster, with fewer data clogs that we had been experienced before.”