The crown jewels of Federal agency network and data assets need better protection from cyber adversaries, but the jury is still out as to whether and when the government’s primary security program to protect them – the Continuous Diagnostics and Mitigation (CDM) Program – will provide the kind of protections that those assets require.
That’s one of the main findings from MeriTalk’s latest research report on the CDM program, “CDM, Defending HVAs.” The new report surveyed almost 100 Federal and industry stakeholders for their views on how well the CDM program is currently defending Federal agency High Value Assets (HVAs).
The results show that 86 percent believe that a CDM-type program would do a better job at protecting Federal agency HVAs than the government is currently doing, but three quarters (75 percent) say the CDM program as it stands today is not doing enough to protect HVAs.
Not surprisingly, most of those surveyed (86 percent) want the CDM program to speed up its efforts to protect HVAs, but they also see significant roadblocks in the way of rapid progress, including funding and cyber workforce shortages.
The CDM Program has undertaken an unspecified number of HVA protection pilots with Federal agencies, but Program Manager Kevin Cox said in October that those pilots can be complicated because they involve mission critical systems.
Speaking about pilots on HVA protection, Cox said “what we have found … is there is a lot of complexity there.” He said the program must be careful about how it deploys technology and architect systems “to make sure we don’t disrupt a mission-critical system.”
“Slow and steady wins the race” in those situations, Cox said. “We want to scramble to get the technology in place … but if we scramble and architect the system in the wrong way, then we set ourselves back.”
In other MeriTalk survey findings, 80 percent expressed some concern about data that the CDM program relies on, with just 15 percent saying they “completely trust” data that underlies CDM Program dashboards and algorithms. About one in five, or 21 percent, said they would classify as “high quality” the data collected from agency networks by CDM sensors.
To address those worries, more than half (59 percent) recommended improving communication, and 52 percent said they believe standardizing data collection will help.
In remarks delivered in late September, Cox said the CDM program’s major goals for Fiscal Year 2021 include upgrading agency and Federal-level dashboard infrastructure, improving the quality of data coming from agency network sensors, and continuing to get a better handle on how agencies employ cloud infrastructure and cloud security.
Those FY2021 program goals broadly match up with many of the concerns expressed by participants in the MeriTalk survey. Listing the most important steps for the program to take on HVA protections going forward, 63 percent listed expansion to cloud environments, 59 percent flagged quality sensor data, 57 percent mentioned expanding to mobile environments, and 41 percent identified the new dashboards that the program has been rolling out to Federal agencies.
Paul Cunningham, CISO at the Department of Veterans Affairs (VA), commented that “the CDM program has done a lot to help aid in cybersecurity efforts,” but added, “there’s more to be done in protecting our High Value Assets.”
To learn more about the latest MeriTalk research and what the CDM program is doing to tackle HVA security, please register for MeriTalk’s CDM Central virtual event on Dec. 3 from 8:50 a.m. to 12:40 p.m.