A year after the Department of Homeland Security formally launched its effort to move agencies toward a continuous diagnostic and mitigation approach to cybersecurity, things are off to a slow start. On the plus side, the agencies that have gotten the ball rolling already are seeing good results.
The findings come from a survey of federal IT professionals, senior managers and contractors by the non-profit SANS Institute.
In the online poll, conducted in April and May, nearly a third of respondents said their agency still was unfamiliar with DHS’ continuous diagnostics and mitigation (CDM) program.
Another 27 percent said what they did know came from press accounts or SANS publications rather than DHS outreach or communication from higher-ups in their agencies. And fewer than 5 percent said their agency had started using the $6 billion blanket purchase agreement DHS issued last August to buy products and services to start implementing a CDM program.
In general, the authors concluded that while DHS had done a fair amount of outreach to educate agencies on the push toward CDM, it’s been focused so far on senior officials such as chief information officers and chief information security officers, not the operational-level employees who will need to implement CDM.
“We’re seeing two types of reactions,” said Kenneth Durbin, who manages the continuous monitoring practice at Symantec, one of the companies that sponsored the survey. “One is where the headquarters CISO does a great job of communicating downstream and everyone defines CDM in the same way and everyone’s working toward the same goal. But we’re still coming across agencies where the CISO is the cheerleader, and when you go talk to the sub-agency, they say, ‘They haven’t talked to us yet. We don’t know what they’re doing.’ But I think things are trending in the right direction.”
Low recognition of CDM by auditors
In particular, the survey found extremely low levels of awareness of and support for CDM from agency inspectors general.
The authors called that finding “extremely troubling,” since a primary goal of the program is to move organizations away from the costly and inefficient paperwork exercise of auditing and certifying IT systems on an annual basis and migrate toward a system that automates the process of identifying security weaknesses and uses that information to make improvements on an ongoing basis. The current approach to agency compliance with security controls is predominantly overseen by IGs.
“For something that’s as comprehensive as the CDM program, you have to have all parts of the ecosystem participating. It’s not good enough to just buy tools. That’s not the point of the program,” said Tony Sager, the director of the SANS Innovation Center. “The point is to pull together the questions of what problems you’re trying to solve, what are the technologies you need to solve that problem and how you build workflows and processes to create a feedback loop that actually creates better cybersecurity, and the role of inspectors general is a vital one in terms of highlighting problems and pointing out areas for improvement. So that’s clearly an area that’s going to need some attention as the program matures.”
According to the survey, agencies also have some additional work to do before they can begin to make good decisions about how and where to begin deploying CDM.
To receive funding for the CDM program, DHS told agencies they first needed to develop a baseline assessment that identified their current cybersecurity posture and the highest-priority gaps that could be filled through the use of a CDM strategy.
But only 21 percent of respondents said their agencies had done a formal gap assessment. Another 36 percent pointed to “informal” reviews of their agencies’ security gaps, but 44 percent said their agency had never done a comprehensive assessment of its cybersecurity weaknesses.
The agencies which have begun to move forward with CDM in a meaningful way, however, are reporting positive results. Almost three quarters of the respondents whose organizations are participating in the program said they had seen either better cybersecurity, lower IT procurement costs, or both.
But the rest said it was too early to know whether CDM had improved their agencies’ ability to measure the strength of their network defenses. Sager said the high number of uncertain responses highlighted the need to get meaningful, continuous metrics for security so that agencies can make informed decisions that make ongoing improvements to their networks.
“This, again, speaks to the need to create that feedback loop. We’re not doing these things just because they’re good things to do. We want specific improvements,” he said. “Some of this is a statement of the relative newness of the program, and it also helps us be aware that we need to put in place a measurement system that helps us put in place the right technologies that help us manage the problem.”
Vulnerability management most popular tool
At the moment, DHS is in the first throes of a three-phase rollout of CDM. During the first phase, it’s focused on securing the endpoints of agency networks, and in these early days, wants those agencies to set up systems to identify and manage all of the hardware and software on their networks, manage the configuration of all of those IT assets, and handle vulnerability management in a centralized way.
Of the agencies that have jumped into the CDM program in its early stages, the leading use of the DHS funding has been for vulnerability management.
The survey also revealed an uncertain future, at least in the near term, for DHS and the General Services Administration’s continuous monitoring-as-a-service (CMaaS) offerings under last year’s BPA.
When asked whether they planned to use those offerings, almost half the participants declined to answer the question. And of those that did answer, only 36 percent said “yes.”
“That’s not that surprising,” Sager said. “When you look at things like FedRAMP and other managed security services, the level of uptake still has a lot of growth potential ahead of it. I think there’s still a lot of thinking about the role of managed services, and I think there’s still a lot of thinking about the role of managed services, and the [CDM] program itself is really just starting to head down this road.”
When asked about the biggest barriers to adopting CDM, the most common response agency officials and contractors gave was that there wasn’t enough information coming from DHS about how to actually use the program within their own agencies. And in the absence of that guidance, they’ve decided to stay on the sidelines.
That wait-and-see approach to CDM has been relatively common throughout the federal IT community during the early stages of the program, said Tim Woods, the vice president for customer technology services at FireMon.
“There’s some proactive activity, and that’s very healthy to see. But I think there are also some people who are hanging back and waiting to see what happens,” he said. “They’re waiting for the program to develop more. That will happen too, so I understand that stance.”