The acting manager of the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program is hailing quick progress that the program and Federal agencies have made in signing new agreements mandated by the Biden administration’s Cybersecurity Executive Order to share object-level network data with the CDM program, rather than the summary-level data that was previously required.
Speaking at MeriTalk’s Cyber Central: Defenders Unite virtual conference on October 28, CDM Acting Program Manager Richard Grabowski talked about the rapid progress already seen with agencies executing new memoranda of agreement (MOA) with the CDM program that will provide CISA with better abilities to hunt threats on and across Federal civilian networks.
The Cybersecurity Executive Order issued in May gave agencies 75 days to establish or update MOAs with CISA for the CDM program “to ensure object-level data, as defined in the MOA, are available and accessible to CISA, consistent with applicable law.”
Notably, for the CDM program, the Cybersecurity Executive Order directs Federal civilian agencies to speed efforts to install endpoint detection and response (EDR) capabilities on their networks – which is a major technology building block of the CDM program.
At the October 28 MeriTalk event, Grabowski talked about progress on that and other fronts spurred by directives in the Cybersecurity EO.
“In terms of the EO, there’s been a lot of work – and a lot of it is not just on the technology side,” he said.
“One of the key things I’m proud of is,” is progress “to get the new MOAs signed,” he said.
“What the MOAs are is an agreement between the program and the agencies to really cooperate on a set of key tasks” to drive the architecture necessary for improved EDR capabilities, he said.
“The agencies will cooperate … [and] establish clear rules of engagement, and make sure ultimately that the tools get operationalized as they’re expected to be, and that these data feeds make it not only into a dashboard,” but into risk management processes, he said.
“On the business side, we offer tools and services, and support,” Grabowski said. “We provide the dashboards, we provide acquisition support, and we state these terms upfront so that both sides know that we both are participating and have shared responsibility.”
“In terms of what we’ve done in the EO … we’ve been asked to modernize the MOAs so that we can prepare to collaborate at a much more detailed level, more so than ever before.”
“The earlier versions of the MOA had provisions about the data that we could actually see from agencies – what we used to call a summary dataset,” he explained.
“One of the key things, amongst others, is that now we have access to object-level data, and object-level data is so critical in this collaborative model because it allows us to do more expansive type of things like threat detection or threat hunting, as well as access levels of detail with context around risk and help agencies out with proactively mitigating them, more so than ever before,” Grabowski said.
“I’m very proud to report that we’ve actually been able to get all of the CFO Act agencies” and about 85 percent of the non-CFO Act agencies on the MOA version 2.0 in less than 90 days – versus the roughly three years it took to get similar progress with agencies on the previous version of the MOA, Grabowski explained.
That’s a “huge credit … to agencies that are putting their trust in us,” he said. “We’re on a very fast track to really get to this new collaborative model that I’m talking about.”
Discussing EDR activities under the Cyber EO, Grabowski said that one of the primary initiatives in play involves an EDR tool build-out. “This is where we work with agencies to figure out what their bonafide needs are,” he said.
“This can be a conversation … to figure out what you have in an EDR tool, are there bonafide gaps that we have to fill, specific modules or capabilities that are missing that you need, and how much of that is a gap, and how much does CISA need to work with you on that,” he said.
“It’s also an opportunity to establish terms of how access is provisioned, going back to that MOA conversation. It’s a very cooperative conversation between us and the agencies,” he said.
“Another thing that we ask them is what is your relative satisfaction with what you have. Oftentimes, just because they have it today doesn’t mean that they are 100 percent on-board,
maybe it’s just an early pilot, and that’s not for us. We have a very honest dialogue with the operators at agencies.”
“The other thing that is very important is a really centralized enterprise approach to EDR,” he said, adding, “traditionally, we’ve seen … in many cases, there are a lot of one-off deployments.” In an agency with numerous subcomponents, he said, that could mean “30,40, 50 different deployments of a half dozen tools or more.”
“One of the things that we are being very cognizant about when going down EDR path is making sure that every agency has an enterprise approach to this particular capability,” Grabowski said. “One of the key reasons why we’re doing this is to reduce the jurisdictional appeal of cyber, especially as the current activity needs to be done faster against a much more pernicious threat.”
“We have to be able to have tools that are able to chase them wherever they’re going to go and hide,” he continued. “The more different types of deployments that organizations have to coordinate with just to get access, the more complicated, and that reduces the efficacy which we conduct that mission, both us and the agencies in that regard.”
“The other question that we end up asking is … what kind of integration do you need,” Grabowski said. “A lot of times it’s easier to integrate nicely with things like security information event management (SIEM) platforms. In many cases, agencies already have a mature SIEM sense, or we will help them there if that’s what they request.”
“The key point to put out here is not just doing things without listening, [but] we’re having an active conversation, engaging the agencies and working cooperatively with them to establish an infrastructure that will work for them and for us,” he said.
The CDM program “really is about data,” Grabowski also said during his remarks. “It always has been because the data is so fundamental to cyber and what we do here.”
Recapping the themes of recent program activity, Grabowski talked about “establishing standards of performance” for the quality of data extracted from agency networks, including through endpoint detection and response (EDR) tools, and then processes to “normalize that data” as it is stored within agencies and the program’s dashboard architecture, “which is the cornerstone of what makes the program run.”
“The whole principle here is that we can use data to answer questions that previously humans had to answer, and then using the architecture effectively, in a collaborative environment with our agency partners, allows us to really get forward on a lot of the things that we need to when it comes to proactive risk management and threat detection response.”
“Today, we have all of the CFO Act agencies on board as well as many of the non-CFO Act agencies…and we’re really, really proud to have those agencies as our partners as we try to mature ISCM (information security continuous monitoring) strategies in the dot-gov,” he said.
Introducing Grabowski during the Cyber Defenders event, Jean Schaffer, Federal Chief Technology Officer at Corelight, commented that the program “has grown beyond CDM to include all things cyber,” and talked about the Cyber EO putting “major emphasis on installing endpoint detection and response capabilities on Federal networks, one of the hallmark functions of the CDM program.”
For the complete replay of Grabowski’s remarks, please visit Cyber Central: Defenders Unite.