The critical importance of Federal IT operations in sustaining vital government operations during the COVID-19 pandemic is nearing the status of universal truth. What’s much less obvious to the naked eye – and meant to be that way – are the security operations underpinning and defending the vast Federal technology enterprise. As the nation takes its first steps on the road to recovery, MeriTalk is bringing to light the untold stories of those efforts. In the latest chapter of CIO Crossroads, we examine the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program.
Security Never Sleeps – CDM Program Management Office (PMO) Q&A
The CDM program was conceived in 2012 to tackle a massive undertaking – modernizing network security across the entire Federal civilian government. Eight years into the task, the program’s security tools and architectures have woven a resilient web of protective technology through agencies large and small.
This program, its tools, and focus on preparedness have never been more relevant. When the full impact of the coronavirus slammed into government operations in early March, the rapid pivot to telework introduced new attack surfaces from home-based connectivity, as well as cloud and mobile technologies. Leading up to the crisis and continuing to this day, the CDM PMO, led by CISA’s Kevin Cox, has been at the ready, delivering critical rapid-response security assistance.
That help has come in the form of critical mission work to meet changing risks, faster than expected deployments of CDM tools, and a more nimble approach to helping agencies manage their cyber posture as they shifted to more virtual footings. Plus, the program is laying the groundwork to support more hybrid network architectures that are likely to endure well past the current crisis.
In an exclusive interview with MeriTalk, Cox tells the security story of the past three months, and how – amid that high-stakes work – the CDM program is keeping focused on its longer-term missions.
MeriTalk: You’re in a unique position at this unprecedented time. Please tell us about your experience in the CDM PMO. Specifically, what are you proudest of? What has surprised you most?
Cox: When the Federal government went into a remote work situation, we wanted to ensure that we could continue to support the agencies in delivering our critical cybersecurity capabilities and help the agencies protect their data and networks.
We’ve personally worked with those agencies and systems integrators to make adjustments where necessary to deliver the CDM capabilities. In some cases, that has been a shift to a more virtual footing.
What we’re finding, and it’s part of what we’re proudest of, is that we’ve been able to keep going – delivering at the same levels of service as before to help agencies get the proper safeguards in place.
MeriTalk: Can you share some metrics to frame the scope and scale of your operation and specifically your pandemic experience?
Cox: We are working with CISA leadership to capture those statistics across the mission space. What I can say now is that the mission continues to make progress, and we are committed to maintaining the same level of support as before the pandemic.
MeriTalk: Taking you back to the first few weeks of the crisis – what did your days look like, and what is your new normal today?
Cox: We knew that this was not going to be over quickly – so we had to assess what new risks were facing us and identify risks tied specifically to COVID-19 – and not just from a short-term perspective, but one or two months out. We looked at how risks we already were monitoring would be impacted, and we continually monitor those risks.
Knowing that this could go on for a while, we needed to stay focused on our mission. Agencies have data on their networks; some have started to move to the cloud; and some have data in mobile environments. We had to identify what we needed to get those capabilities deployed, as appropriate. We had to be prepared to make adjustments should there be needs around movement to the cloud, issues tied to telework, or more threat activity. We needed to see where we could adapt and support to deliver some of those capabilities more quickly.
We were assessing how this impacts our team, partners, and stakeholders – and how we keep them safe – while at the same time undertaking very critical mission work. I have to give kudos to my team and all the folks that are working with all of our partners. I have not seen people miss a beat. We’ve continued forward, delivering high levels of service to get implementations in place so that critical data networks are protected.
In terms of the new normal – we have to be prepared to shift to supporting more of a hybrid model. The principles are the same – we continue to monitor our risks, make adjustments, and continue to adapt but stay focused on our mission so that we can be successful, no matter where the agencies have their data.
MeriTalk: What lessons are you taking away from this experience?
Cox: The planning and development that agencies have done over the years has really been critical to sustaining remote work and agency missions.
From the CDM PMO perspective, it’s a case of understanding what the new terrain and risks are and identifying what changes are needed. We are a risk management-focused organization, and so, from the start of the pandemic, we’ve worked to assess our risks – both short and long term. You also have to be willing to make changes on the fly.
We have to be much nimbler. We’ve always had to be nimble in terms of working with the various mission spaces across the Federal government – but the pandemic has forced us to be nimble as we continue to make progress in terms of helping the agencies better manage their cybersecurity posture and overall risk management.
We’ve worked with all of our partners and stakeholders to see where we need to adapt delivery mechanisms. For example, with agencies that are seeing an increase in threat activity, we may need to deploy CDM capabilities earlier than they were originally planned.
MeriTalk: Are there any stories you can share about the impact you’ve had or how you’ve helped agencies solve their problems?
Cox: There have been cases where there’s been increased adversarial activity on an agency network. We were able to get additional support working with our systems integrator partners down on the ground to get better visibility into what was happening and determine the capabilities that needed to be deployed more quickly to ensure that the networks and data were protected.
MeriTalk: Focusing on telework – which is here to stay for the foreseeable future – what have you seen that’s worked well across the Federal government? And what kind of challenges – expected or unexpected – have you found?
Cox: The preparations that agencies did to get the telework infrastructure in place to support a large number of remote employees ensured that productivity could continue at the levels it was before the pandemic, and that important mission work can continue unabated.
As we go forward, we’re continuing to identify areas where we need to make things more robust, where CDM has a role to support, and how we can ensure agencies have the right team capabilities in place to monitor where their data is, how their networks are functioning in this new environment, and how to ensure their network cybersecurity is as robust as it needs to be.
MeriTalk: During this time, what are you hearing from mission owners about performance and their cyber concerns right now?
Cox: What we’ve heard in talking to a number of agencies is that the level of cyberattacks against our nation’s resources remains high. In some cases, we have even seen increases in the number of attacks.
The importance of the mission work we’re doing through the CDM program remains critical to helping the civilian agencies address any cybersecurity gaps – it helps gain better continuous monitoring visibility of data and networks to better protect their overall environments. At the end of the day, it helps them better manage risk.
MeriTalk: What’s keeping you up at night when it comes to immediate and magnified cyber vulnerabilities in the age of expanded telework?
Cox: First and foremost, we worked with our leadership to ensure the health and safety of our team and all the partners that we work with, including the agencies and systems integrators. We wanted to ensure that we were taking the right approaches and were not putting our team, partners, or stakeholders in harm’s way.
Beyond that, we want to make sure that, as threat levels remain high, we can get the right CDM capabilities onto the agency networks or into their cloud given the remote posture.
We know that our adversaries see opportunities in these tumultuous times. We are leaning on our partners and stakeholders to ensure that civilian agency networks are robust and the right protections are in place so we can keep adversaries and threats outside of the networks and away from the data.
MeriTalk: How is inter-government collaboration and cooperation working at this time?
Cox: Government collaboration and cooperation has been extremely strong during this period. In many cases, the agencies and the programs haven’t missed a beat when it comes to getting the right solutions and capabilities in place to protect the network’s data.
We continue to work closely with the agencies to support deployment efforts, reinforce their safeguards, and make their networks more robust. We’re meeting with agencies and systems integrators to continue future work so that, when folks start to move back to an office setting, we can make adjustments and keep being successful with the delivery of our cybersecurity capabilities.
MeriTalk: Everyone is learning as they go. How are best practices being shared across agency IT teams, and how could those channels be improved or expanded?
Cox: From our program standpoint, agencies and internal organizations are sharing information and best practices. Organizations like the Federal CIO Council and the Federal CISO Council are able to share lessons learned that can inform agencies if they are on the right track or if there are additional changes they need to make.
MeriTalk: You have given a few shout outs to your team and the vendors – are there any other groups or individuals you would like to acknowledge?
Cox: We have a great CISA CDM team – and I’m extremely pleased with all the hard work they’re putting in every day and how they’ve been able to work through some stressful times here.
Then, looking at our partners in the agencies, we recognize every day the important work that the Federal civilian agencies are doing from a mission standpoint across all the different departments. The agencies have been committed to meeting those missions and keeping things moving forward and really helping to ensure that citizenry data is secure and protected.
We’ve been fortunate to have great partners on the industry side as well. The CDM systems integrators and the tool providers have been facing a lot of additional stress and continue to remain committed to the mission. We always knew they were top notch, and that has been further illustrated during these times.
Additionally, we have great inter-agency partnerships – like with the DHS chief technology officer’s office around TIC 3.0, and the National Cybersecurity Protection System for threat hunting and vulnerability management. These folks are all committed to these very important missions, and it’s been great to see effective collaboration in support of the Federal civilian agencies.
MeriTalk: What are your predictions about what’s going to change in government and society moving forward as a result of the pandemic – and what will we do now that’s new, or what will we need to stop doing in the future?
Cox: From our program’s perspective, we will continue to look at remaining nimble and adapting the delivery of our capabilities to the agencies.
Asset management, identity and access management, network security management, and data protection management remain critical regardless of how networks and processes change or where data is located. Agencies will still need these capabilities to protect their networks and data.
With the pandemic – or any future events – we are prepared to adapt to new circumstances in order to support agency missions. Our mission to help support cybersecurity visibility and risk management for the Federal civilian agencies remains steadfast.
To learn more about the future of CDM, please visit CDM Central: Tales from the Frontlines for on-demand replays of all sessions from MeriTalk’s June 9 virtual conference featuring CISA leaders mapping out program priorities. Then continue the conversation on July 15 at 1:30 p.m. EDT with MeriTalk’s CDM: The Next Chapter webinar that explores our recent survey of government and industry stakeholders to catalog progress and chart the path forward for the program.