The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program may qualify as one of the most ambitious network security program ever conceived, with a focus on girding Federal agency networks with state-of-the-art security at both the agency and DHS levels – and not just for today’s threats, but also to meet the ever-expanding threat landscape down the road.
If that’s not a tall enough order, the CDM program also must meet agencies where they are today in terms of size, mission, structure, and network architectures. No two agencies are in exactly the same place on the path to IT modernization, and so approaches to meeting CDM program objectives also take different courses.
MeriTalk sat down with Steve Rea, Nutanix’s Manager of National Security, and Ryan McCullough, Executive Vice President and Chief Strategy Officer at ShorePoint, to talk about the future of the CDM program, opportunities in the near term, and where they hope to see the program’s progress in five years.
Both had plenty to explain about the nuts and bolts of CDM implementation, but as an overarching theme returned time and again to the program’s potential to be the great catalyst to drive the next generation of Federal agency IT modernization. Here’s what they had to say:
MeriTalk: Tell us how Nutanix is positioned on the leading edge of cyber security to aid the CDM program and Federal agencies that are implementing its protections?
Steve: CDM aims to improve and stabilize security across a wide range of Civilian organizations. With this posture and with the amount of security tools that are coming into play, there is a need for infrastructure hosting platforms to ensure these cyber applications are not only readily available, but also help them scale to keep up with the overall growth associated with CDM.
In looking to aid the CDM program, our main goal is to establish a consistent, reliable, secure, and scalable cyber platform. This platform can then provide agencies a consistent baseline to all the virtualized tools they need to help them move into the next wave of a cloud-ready infrastructure. The result is a path to help agencies complete their overall mission with CDM regarding tools, data, and reporting capabilities.
Ryan: Strictly from a cyber security standpoint and in particular the CDM program, there are three areas where I think modernized, scalable and adaptable compute/storage and processing platforms bring tangible benefit to how the program is being rolled out, and those three are related.
First, there is an increasingly large number of tools, data processing, and information that is going to be brought in through the CDM program, which is going to continue to scale and grow. We also know that threats from adversaries are going to evolve over time, and as such challenges in keeping Federal networks safe are also going to evolve. The dynamic nature of that is going to yield continued implementation and aggregation of tools, data, and information, but there’s a certain lack of predictability in terms of scale.
Second, with implementation of the new CDM dashboard ecosystem there’s a foundational infrastructure requirement for agencies that’s going to be necessary for them to think through from a platform perspective. In terms of the CDM stack you have tools within Layer A rolling into the integration in Layer B. It is within these two layers where the preponderance of the tools, and data produced by those tools, will exist. The information gets passed, processed, aggregated, normalized and presented to a new dashboard platform that’s going to require similar amounts of scale and security capability which will evolve in concert with the other layers. Getting a consistent architecture in place to support that stack is going to be important.
The third area where the platform is going to be important is with aligning that stack to ongoing agency modernization initiatives. Agencies are actively modernizing, enhancing and refactoring different workloads and making determinations about ways to optimize the performance and cost associated with those applications. In some cases, that optimization is achieved through migration to, or native development in, the cloud. When contemplating this they actively consider questions like, “what is the right kind of scalable agile architecture that should be put in place for their on-prem, cloud, or hybrid deployed workloads?”
It’s the tools stack, the data processing requirements, the new dashboard platform that’s coming into the environment, and the alignment to agency modernization initiatives that need to be contemplated by infrastructure, cybersecurity, and IT leaders across the government.
MeriTalk: From an industry standpoint, what are some of the biggest roadblocks you’re seeing with CDM implementation for Federal agencies?
Ryan: Roadblocks is an aggressive term that sounds as though it will prevent the implementation from happening. I think there are challenges, and they are many, and varied.
For instance, there’s been a big transition in the program that has changed the way it operates, and there’s been some learning that has happened through that process as people work through familiarizing themselves with processes such as Requests for Service and things of that nature.
From an IT perspective, one of the challenges has been the allocation of infrastructure to support the stack. For instance, they’re about to start deploying the dashboard ecosystem into agency environments and having clarity on the right foundational architecture to have in place for that environment – whether it be cloud, on-prem, or a hybrid approach – is something that needs to be contemplated by agencies. I wouldn’t say it’s so much of a roadblock as it is making sure we’re thinking through all the tangential impact of the implementation of the different aspects of the CDM security stack. That’s one of the things I see agencies, integrators, and the CDM PMO working through collaboratively – it’s going to be part and parcel to the success of the program. Again, tying back to not just implementing to get things up and running, but implementing with a vision towards long term modernization and transformation strategy.
Steve: A common roadblock or obstacle we encounter is working with agencies to find out how are they going to place these applications and cyber tools inside of their environment, the impact on current infrastructure, and the easiest way to scale – by either going cloud or leveraging a managed service provider. The program does a great job of outlining tool sets and ideas at the application layer, but it’s beneath this where there’s really no guidance or architectural best practices to follow – those are left up to the agency and the defense integrator. It’s at this stage where efforts and focus get shifted from the core mission, thus potentially resulting in a delayed rollout.
MeriTalk: While there are many challenges associated with CDM implementation, there are also plenty of opportunities for both the public and private sector. From your perspective, what are the biggest opportunities with the CDM program?
Steve: The biggest opportunity is the chance to modernize the underlying infrastructure. If you go back in time to when we went to virtualized infrastructure, agencies felt they had to virtualize everything and that’s the way their infrastructure is going to continue to evolve. Now we’re in a stage where agencies are driving everything to be cloud native. Unfortunately, across the civilian government, there are not many programs which lend themselves to become a catalyst for transformation and modernization.
We are fortunate enough to have a program such as CDM where we’ll be bringing in an era of new cyber applications and tools. But there also comes with it an abundance of data, and an opportunity for agencies to look at their overall infrastructure posture and decide how they are going to meet the mandate of modernizing infrastructure and becoming cloud native. This is truly a chance for an agency to look at the roadmap of where they want to be – how they want to achieve those goals and devote resources and planning to things such as hybrid cloud, software-defined architecture, and scalable platforms to modernize.
Ryan: To expand on Steve’s comments, I think the biggest opportunity is in the way that the program has structured the opportunity for agencies to build alignment and integration between their IT strategic plan, their cybersecurity strategy, and long-term modernization plan. To look at that in terms of cyber operations and take it from an aspect of “how do these things all knit together,” to provide tangible benefits in terms of improving cyber posture, achieving IT strategic plan objectives, and delivering on the mission in a more effective agile and secure way.
That is what the program really presents because the mechanisms in place actually allow agencies and departments to direct and drive the prioritization of security capabilities into their environment in a way that aligns with those codified standards or constraints that exist within their environment – so they can do it in the context of the way the agency needs to operate. That benefit of aligning those various aspects together in an integrated fashion can actually help departments and agencies accelerate all of those strategies in parallel together. That means the program can help them achieve more of their defined goals concurrently by leveraging the program funding as well as the workforce and skills available from the CDM integrators to make sure that all those things match together to drive the strategy forward in a more effective way.
MeriTalk: How are cloud environments and mobile devices impacted by CDM?
Ryan: There will be a robust cloud security architecture that is put in place to support agency cloud initiatives and migrations to different cloud service models, in order to enable secure cloud computing for the agencies. I also think there will be robust security architectures and capabilities delivered around mobile. You can look at this program as a unique and innovative kind of service provider to Federal agencies.
When you think about the situation we’re dealing with for COVID-19, and the rapid scale of mobile work that needs to happen in order to ensure continuity of operations and ongoing mission support for the agencies, the CDM program has a mechanism in place called a Request for Service (RFS). These agencies could look to the program to say, “I’ve got to get my workforce the ability to effectively execute on their mission goals responsibilities and functions, and I’m going to do so in a secure mobile way, how do I deploy out this secure mobile workforce capability in a way that ensures data security and connection security of our users and agency networks?”
This program is built to be agile and responsive to those kinds of needs in an effective way. In terms of how it will impact these evolving requirements, the program creates a framework that allows you to address the priority needs that arise on an iterative basis to build the security architectures, incorporate the service, implementation, and integrations that are necessary to allow agencies to function. Whether it’s for their traditional on-prem computing environment to the need for rapidly scalable, secure mobile computing – to deploying workloads in the cloud for efficiency, performance, and cost reduction – I think the CDM program has it there.
MeriTalk: How is the TIC 3.0 policy changing the game for CDM deployments?
Ryan: As agencies are looking at different use case models for implementation of tech that incorporates concepts of cloud, mobile, and remote workforce, that’s where they’ve got to meet the intent of what TIC 3.0 is seeking to deliver. The flexibility that’s provided by the TIC 3.0 guidance really supports the modernization of CDM because it allows agencies more flexibility in the way that they’re going to implement their security stack. Agencies have an opportunity now, through the CDM program, to look at implementation of these new security capabilities and to define the right use case for them that meets the attributes of the TIC 3.0 requirements and does so in a way that’s built for that agency’s operating requirements.
MeriTalk: If you could give agencies one piece of advice in regard to CDM, what would it be?
Ryan: Take the time to map your cyber strategic plan and your IT modernization plan back to the CDM program. Take the time to do that, understand where there is alignment between your cybersecurity strategic plan, and the capabilities delivered by CDM. And then, consider how you would optimally implement those capabilities in line with your modernization strategy. If you take the time to do those things, and really build out what that would look like for your agency, it will help inform your RFS development, and the opportunities to leverage and prioritize the program capabilities in alignment with your agency’s strategic needs, objectives, and mission.
Steve: The only thing I would add is to reinforce the idea of taking your time and looking to leverage the catalyst – which the CDM program is – to achieve specific goals within the organization. Whether that be modernizing or scaling out for the data ingest which will occur with growth, and from various realms of the organization coming into one singular enterprise. On top of this, ensure the plan accounts for long term strategic goals and not near-term fixes.
MeriTalk: What makes Nutanix stand out from the crowd among the other CDM industry leaders?
Steve: Nutanix is not specifically a cybersecurity solution provider, but an underlying element which elevates and strengthens the cyber posture and applications to help achieve the agency CDM goals. What makes Nutanix stand out in terms of an infrastructure standpoint is a number of differentiators. One is being designated as a leader in the HCI market by an independent third-party, analysts such as IDC, Gartner, and Forrester. Coupled with our 90+ NPS score, customers have the confidence our platform has been tested.
Another key differentiator of our solution is the breadth of the overall portfolio as it pertains to the Federal market share. If you look across our Federal customers, we hold the lion’s share of applications, specifically big data applications which are deployed in production environments and running at very large scale, across DoD, civilian, and intelligence community.
Lastly, the pure essence and elegance in which our solution is deployed and managed is where the value lies. We service everything from a couple of clicks and make it very simple for administrators and cyber technicians to understand, architect and deploy. That’s a key element when we look at the rapid pace needed to help these organizations achieve their end state and overall enterprise goals.
MeriTalk: Where would you hope to see the CDM program in the next five years?
Ryan: I’d like to see the program continue to evolve and set the pace for establishing the appropriate cyber posture for Federal networks across the enterprise. The one thing I would like to see in the next five years is agencies not viewing CDM as a compliance program, but instead looking at it as a foundational and integrated part of the agency IT and security strategic planning. Looking at it as an integrated component of those efforts to enhance cyber posture and improve modernization strategies for agencies, as opposed to anything that might be a stovepipe, separate stack that exists within the agency to meet compliance requirements. I think that legacy notion of CDM as a separate program needs to go away, and agencies and departments need to start looking at this program as something that really impacts and drives their agency mission and modernization strategy.
Steve: I’d like to see the CDM program provide more detailed architectural guidance on best practices around deploying the cyber applications which are coming into the civilian enterprises. Right now, it’s left to either be determined by the DEFEND integrator or the agency itself. Having a best-practice boilerplate for architectural design and review for baselining CDM infrastructure platform – whether that be on premise or cloud – would be beneficial to the agency in the long run.
To learn more on how Nutanix can aid your organization’s CDM efforts, check out their website.