A newly issued Office of Inspector General (OIG) report shows that the Department of Homeland Security (DHS) was making only limited progress in implementing the Continuous Diagnostics and Mitigation (CDM) program in several years leading up to an audit completed in 2020, but has since taken action on several recommendations from the OIG that puts the agency in better position to benefit from CDM.
Most of the report covers an OIG audit of DHS progress on CDM implementation through early 2020, and notes implementation was limited despite the agency spending $180 million between 2013 and 2020 putting the CDM program in place.
One of OIG biggest findings from the 2020 audit – that DHS’ CDM dashboard technology only accommodated less than half of the required asset management data of March 2020 – was helped out by DHS’s installation in January 2021 of next-generation, scalable dashboard technology. That move, the OIG report quoted DHS as saying, “helped to ensure components use tools that meet requirements, set appropriate deadlines, and integrate component data.”
The OIG said those actions were responsive to its recommendation to DHS, and said it would leave the recommendation open “until we receive the Department’s updated CDM program plan, as documentary evidence that the DHS’ dashboard platform is appropriately scalable, components are required to use tools that meet program requirements and are subject to appropriate deadlines for implementation, and the dashboard contains fully integrated component data.”
The report also details problems that OIG found regarding vulnerabilities on CDM-related IT equipment, but reflects that DHS took action to address a recommendation on that front in late 2019. The OIG agreed that DHS’ actions were responsive to its recommendation, which also remains open “until we receive vulnerability assessment re-scans of the CDM servers and databases to verify that DHS completed mitigation of the previously identified vulnerabilities.”
Finally, the OIG recommended that DHS take action to define patch management responsibilities for its CDM IT assets, and said its review of steps taken by DHS in 2016 and 2019 were responsive to its recommendation. That recommendation also remains open, the OIG said, until it gets “evidence DHS has sufficiently communicated specific responsibilities to eliminate confusion” between a contractor supporting DHS’ Continuous Monitoring as a Service, and the data center hosting the infrastructure as to who is responsible for addressing database vulnerabilities.
The CDM program is operated within the Cybersecurity and Infrastructure Security Agency (CISA), that is itself a part of DHS.
The program aims to lead Federal civilian agencies through adoption of four core capabilities to improve security of their networks. Implementation of key program components is taking on increased prominence in the Biden administration’s cybersecurity executive order issued last month. Thorough implementation of the CDM program has been seen in the past few years as a more difficult task for some larger agencies – like DHS – that have numerous component organizations within them.
