Insight by Trezza Media Group

CDM: Partnerships for progress

Kevin Cox is the Program Manager for the Continuous Diagnostics and Mitigation (CDM) Program, within the Department of Homeland Security’s Office of Cybersecurity and Communications.

In this position, Mr. Cox leads the effort working collaboratively with federal agencies to deploy cybersecurity solutions to 1) identify agency networks and assets and 2) protect them and agency data in near real-time against the growing cybersecurity threats.

Prior to joining DHS, Mr. Cox served as the Deputy Chief Information Security Officer (CISO) at the Department of Justice, where he oversaw the organization’s cybersecurity continuous monitoring capabilities and the security posture dashboard.

FY18 Critical

In a written interview with On The FrontLines, Mr. Cox explained the CDM program; what it is; what it has accomplished; and what still needs to be done; and what is the timeline for reaching goals government-wide. He explained:

“FY18 is a critical year for the CDM Program. The work for Phases 1 and 2 for the CFO Act agencies concludes and these agencies will have near real-time awareness of the security posture of their networks.

Additionally, the CDM Shared Service Platform providing Phase 1 and 2 capabilities to Non-CFO Act agencies will go into production by Q2 FY18. Non-CFO Act agencies will then begin to gain continuous monitoring capabilities for their network resources to ensure better cybersecurity hygiene.

The data exchanges between the agency dashboards and the federal dashboard began at the start of FY18. Through the dashboards, federal and agency leadership will gain better understanding of the security posture of the overall enterprise.”

OTFL: On the DHS CDM webpage it says: “DHS will work with departments and agencies to implement CDM in a consistent manner that demonstrates measurable cybersecurity results and leverages strategic sourcing to achieve cost savings.”

Please describe how the Agency/DHS CDM collaboration works (specific example)?

Kevin Cox, DHS: Since 2012 when the CDM Program began, DHS has worked closely with agencies to identify cybersecurity/continuous monitoring requirements.

Working with the General Services Administration (GSA), the Program established a series of task orders to deploy Phase 1 (what is on the network) and Phase 2 (who is on the network) capabilities. The task orders provide tools and integration services as well as agency dashboards to address cyber risks.

Once the task orders were awarded, DHS worked closely with agencies as deployment and dashboard integration was established. CDM program managers conduct regular working level meetings with agencies to ensure ongoing collaboration and coordination across groups.

In addition, the Program has worked closely with the agencies in various forums, including the quarterly Customer Advisory Forum (CAF). These forums provide agencies opportunities to provide feedback to the program on what works, what does not, and proposed new requirements.

OTFL: Please describe the DHS/GSA CDM relationship?

Kevin Cox, DHS: DHS and GSA have a strong partnership. GSA’s Federal Systems Integration and Management

Center (FEDSIM) provides assisted acquisitions for the CDM program.

  • In 2013, the Program established the Continuous Monitoring as a Service (CMaaS) blanket purchase agreements (BPAs) to deploy CDM capabilities to agencies. This acquisition vehicle provides a consistent set of solutions, at a reduced cost, that enhance the government’s ability to identify and mitigate the impact of cybersecurity vulnerabilities and defects.
  • In 2018, the Program began using the Alliant Government-wide acquisition contracting (GWAC) vehicle to establish the next set of task orders covering all CDM phases, as well as dashboard integration.
  • This new contracting approach is called the CDM Dynamic and Evolving Federal Enterprise Network Defense (CDM DEFEND).

OTFL: How are agencies benefiting from using the GSA CDM and CMaaS BPA?

Kevin Cox, DHS: The benefits to agencies from the CDM Task Orders through GSA are:

  • Reduced costs for tools via volume discounting;
  • Standardized toolsets across the agency enterprise;
  • Comparable dashboards across .gov infrastructure facilitating common language concerning the information security continuous monitoring of agency data and networks; and
  • Stronger cybersecurity.

OTFL: How does the CDM program affect the general employee and how they perform their job daily?

Kevin Cox, DHS: One of the goals of the CDM Program is to provide cybersecurity tools to agencies to help protect agency data and systems, while allowing employees at the agencies to focus on their mission without disruption.

Cybersecurity solutions should support the mission, not hamper it.

CDM Phase 1 & 2 Progress

OTFL: During the Profiles In Excellence Federal Executive Forum, you noted that all of the agencies now have their agency dashboard in place; (but there is) still a lot of work to be done. Can you summarize the objectives and what agencies accomplished during Phases 1 and 2?

Kevin Cox, DHS: The CDM Program was developed to support government-wide and agency-specific efforts to provide an adequate, risk-based, and cost-effective cybersecurity solution to protect Federal civilian networks.

Phase 1 focuses on device management (e.g., laptop and desktop computers, servers, routers) and is currently deployed across approximately 72-percent of CFO Act agency networks.

  • The objective of Phase 1 is to help agencies manage “what is on the network” by providing information security continuous monitoring (ISCM) tools and capabilities that cover hardware and software asset management, vulnerability management, and configuration management.
  • By completing this first phase, the program is providing basic cyber hygiene to agencies to ensure they can manage their IT assets and reduce the attack surface targeted by nation-state and criminal adversaries.
  • Phase 1 tools and dashboards are being used by agencies to automate the identification, detection, remediation, and reporting of critical vulnerabilities, including WannaCry, Meltdown, and Spectre.

Phase 2 answers the question “who is on the network” to understand credentialed and privileged users.

  • Phase 2 helps agencies identify their authorized users and determine what data and systems their privileged users can access. The Phase 2 capabilities also help agencies ensure unauthorized users can’t access network resources.
  • CDM data feeds report to an agency-level dashboard for display and action. Aggregation from agency dashboards feed into a federal-level dashboard to assist in security oversight and reporting. The federal dashboard provides federal leadership with visibility of the security posture of the .gov network.
  • The CDM agency and federal dashboards will help improve federal cybersecurity by providing much greater visibility into critical vulnerabilities on federal information systems and helping ensure systems are properly patched and configured.

OTFL: How much did this effort improve each agency’s security posture?

Kevin Cox, DHS: The Program has made significant strides in helping agencies gain better understanding of what is connected to their networks and who is authorized to use those networks.

During the asset discovery stage of Phase 1, the agencies and integrators discovered, on average, 75-percent more assets across the agencies than originally reported; in some cases, the increase was greater than 200-percent.

If you don’t know what’s on your network, you can’t protect it. CDM capabilities enable agencies to now know what is on their network and how it is patched and configured. This helps agencies reduce their attack surface.

Phase 2 focuses on user management (e.g., access levels and credentials of people using government networks and systems) and is about 20-percent deployed.

Beyond just knowing the user population on their networks, phase 2 solutions provide agencies with insight into privileged user accounts.

The CDM tools and capabilities provide dynamic data. The capabilities provides agencies with insight into the continual state of the network and overall security posture on a continuous basis. n

OTFL: Phases 3 & 4 focus is on “getting additional protections out on the network for the agencies, as well as getting down to the data even more and protecting that; (and) getting the right solutions in place for the agencies. Please describe what is to be accomplished in Phases 3 & 4; objectives and outcomes?

Kevin Cox, DHS: Phase 3 will focus on cybersecurity ongoing assessment and authorization, incident response standardization and optimization, cloud and mobile security, boundary protection, and event management. Phase 3 will also help address any gaps from Phases 1 and 2.

New DEFEND task orders will be awarded throughout the spring to begin work on implementing Phase 3 capabilities across the CFO Act agencies.

Phase 4 will focus on protecting data on federal systems using tools like data rights managements and data loss prevention. This Phase will likely begin in FY2019.

OTFL: How will each improve the security posture of each agency? What is the timeline for completion?

Kevin Cox, DHS: Phases 3 and 4 help build on the foundation put in place by Phases 1 and 2. Ultimately, Phase 3 is widening the scope of visibility that agencies will have of their data and wherever it might reside (e.g., on a mobile device) to ensure the data is protected.

Phase 3 is also expanding from the internal, on premise environment to the agency network boundary and beyond (e.g., data in a cloud service provider environment). Wherever the data is, agencies will have continual awareness of it and the protections in place. Agencies will also be able to respond better and more quickly in the event of an incident involving their data.

Phase 4 is focusing specifically on the data to ensure it has the proper safeguards in place (e.g., encryption) so that it is protected even if an adversary exfiltrates it from an agency network.

OTFL: Previously you stated that DHS is going to continue forward with shared service efforts as well helping the non-CFO Act agencies protect their environment using cloud services. Can you elaborate?

Kevin Cox, DHS: The CDM Program has established a Shared Service Platform in the cloud for the Non-CFO Act agencies. The Shared Platform approach provides these agencies with CDM Phase 1 and 2 capabilities for their network environments. The information from these CDM capabilities is then sent to individual agency dashboards in the Shared Service environment. Information from the agency dashboards is then reported to the federal dashboard.

OTFL: Is there an additional topic important to government management , but we haven’t focused on?

Kevin Cox, DHS: One question to consider is, “How is the CDM Program keeping up with ever-evolving cybersecurity threats?” Working with the .gov Cybersecurity Architecture Review (.govCAR), the CDM Program is in the process of layering in threat information to help in prioritizing initiatives at the agencies and identifying the most effective protections for agency systems. The CDM Program will also work closely with agencies to support them in securing their high value assets.

OTFL: One final question: In your role at DHS, what gives you the greatest satisfaction? What excites you each day?

Kevin Cox, DHS: I feel fortunate to be in a role where I can daily work with and support agencies to better protect their critical mission data and systems. Our federal data and systems are under attack second to second and we need to stay in front of that threat to ensure we can protect all of the data and information the federal government manages on behalf of its citizenry. Through the CDM Program, we are helping agencies get the cybersecurity capabilities and processes in place to ensure that data and information is as secured as much as possible based on the risk.

I also am fortunate to get to work with such a great team in the CDM Program Management Office.

Kevin Cox: CDM Phases 3 & 4 Explained

OTFL: On the DHS CDM webpage it says: “DHS will work with departments and agencies to implement CDM in a consistent manner that demonstrates measurable cybersecurity results and leverages strategic sourcing to achieve cost savings.”

Please describe how the Agency/DHS CDM collaboration works (specific example)?

Kevin Cox, DHS: Since 2012 when the CDM Program began, DHS has worked closely with agencies to identify cybersecurity/continuous monitoring requirements.

Working with the General Services Administration (GSA), the Program established a series of task orders to deploy Phase 1 (what is on the network) and Phase 2 (who is on the network) capabilities. The task orders provide tools and integration services as well as agency dashboards to address cyber risks.

Once the task orders were awarded, DHS worked closely with agencies as deployment and dashboard integration was established. CDM program managers conduct regular working level meetings with agencies to ensure ongoing collaboration and coordination across groups.

In addition, the Program has worked closely with the agencies in various forums, including the quarterly Customer Advisory Forum (CAF). These forums provide agencies opportunities to provide feedback to the program on what works, what does not, and proposed new requirements.

OTFL: Please describe the DHS/GSA CDM relationship?

Kevin Cox, DHS: DHS and GSA have a strong partnership. GSA’s Federal Systems Integration and Management

Center (FEDSIM) provides assisted acquisitions for the CDM program.

  • In 2013, the Program established the Continuous Monitoring as a Service (CMaaS) blanket purchase agreements (BPAs) to deploy CDM capabilities to agencies. This acquisition vehicle provides a consistent set of solutions, at a reduced cost, that enhance the government’s ability to identify and mitigate the impact of cybersecurity vulnerabilities and defects.
  • In 2018, the Program began using the Alliant Government-wide acquisition contracting (GWAC) vehicle to establish the next set of task orders covering all CDM phases, as well as dashboard integration.
  • This new contracting approach is called the CDM Dynamic and Evolving Federal Enterprise Network Defense (CDM DEFEND).

OTFL: How are agencies benefiting from using the GSA CDM and CMaaS BPA?

Kevin Cox, DHS: The benefits to agencies from the CDM Task Orders through GSA are:

  • Reduced costs for tools via volume discounting;
  • Standardized toolsets across the agency enterprise;
  • Comparable dashboards across .gov infrastructure facilitating common language concerning the information security continuous monitoring of agency data and networks; and
  • Stronger cybersecurity.

OTFL: How does the CDM program affect the general employee and how they perform their job daily?

Kevin Cox, DHS: One of the goals of the CDM Program is to provide cybersecurity tools to agencies to help protect agency data and systems, while allowing employees at the agencies to focus on their mission without disruption.

Cybersecurity solutions should support the mission, not hamper it.

CDM Phase 1 & 2 Progress

OTFL: During the Profiles In Excellence Federal Executive Forum, you noted that all of the agencies now have their agency dashboard in place; (but there is) still a lot of work to be done. Can you summarize the objectives and what agencies accomplished during Phases 1 and 2?

Kevin Cox, DHS: The CDM Program was developed to support government-wide and agency-specific efforts to provide an adequate, risk-based, and cost-effective cybersecurity solution to protect Federal civilian networks.

Phase 1 focuses on device management (e.g., laptop and desktop computers, servers, routers) and is currently deployed across approximately 72-percent of CFO Act agency networks.

  • The objective of Phase 1 is to help agencies manage “what is on the network” by providing information security continuous monitoring (ISCM) tools and capabilities that cover hardware and software asset management, vulnerability management, and configuration management.
  • By completing this first phase, the program is providing basic cyber hygiene to agencies to ensure they can manage their IT assets and reduce the attack surface targeted by nation-state and criminal adversaries.
  • Phase 1 tools and dashboards are being used by agencies to automate the identification, detection, remediation, and reporting of critical vulnerabilities, including WannaCry, Meltdown, and Spectre.

Phase 2 answers the question “who is on the network” to understand credentialed and privileged users.

  • Phase 2 helps agencies identify their authorized users and determine what data and systems their privileged users can access. The Phase 2 capabilities also help agencies ensure unauthorized users can’t access network resources.
  • CDM data feeds report to an agency-level dashboard for display and action. Aggregation from agency dashboards feed into a federal-level dashboard to assist in security oversight and reporting. The federal dashboard provides federal leadership with visibility of the security posture of the .gov network.
  • The CDM agency and federal dashboards will help improve federal cybersecurity by providing much greater visibility into critical vulnerabilities on federal information systems and helping ensure systems are properly patched and configured.

OTFL: How much did this effort improve each agency’s security posture?

Kevin Cox, DHS: The Program has made significant strides in helping agencies gain better understanding of what is connected to their networks and who is authorized to use those networks.

During the asset discovery stage of Phase 1, the agencies and integrators discovered, on average, 75-percent more assets across the agencies than originally reported; in some cases, the increase was greater than 200-percent.

If you don’t know what’s on your network, you can’t protect it. CDM capabilities enable agencies to now know what is on their network and how it is patched and configured. This helps agencies reduce their attack surface.

Phase 2 focuses on user management (e.g., access levels and credentials of people using government networks and systems) and is about 20-percent deployed.

Beyond just knowing the user population on their networks, phase 2 solutions provide agencies with insight into privileged user accounts.

The CDM tools and capabilities provide dynamic data. The capabilities provides agencies with insight into the continual state of the network and overall security posture on a continuous basis. n

OTFL: Phases 3 & 4 focus is on “getting additional protections out on the network for the agencies, as well as getting down to the data even more and protecting that; (and) getting the right solutions in place for the agencies. Please describe what is to be accomplished in Phases 3 & 4; objectives and outcomes?

Kevin Cox, DHS: Phase 3 will focus on cybersecurity ongoing assessment and authorization, incident response standardization and optimization, cloud and mobile security, boundary protection, and event management. Phase 3 will also help address any gaps from Phases 1 and 2.

New DEFEND task orders will be awarded throughout the spring to begin work on implementing Phase 3 capabilities across the CFO Act agencies.

Phase 4 will focus on protecting data on federal systems using tools like data rights managements and data loss prevention. This Phase will likely begin in FY2019.

OTFL: How will each improve the security posture of each agency? What is the timeline for completion?

Kevin Cox, DHS: Phases 3 and 4 help build on the foundation put in place by Phases 1 and 2. Ultimately, Phase 3 is widening the scope of visibility that agencies will have of their data and wherever it might reside (e.g., on a mobile device) to ensure the data is protected.

Phase 3 is also expanding from the internal, on premise environment to the agency network boundary and beyond (e.g., data in a cloud service provider environment). Wherever the data is, agencies will have continual awareness of it and the protections in place. Agencies will also be able to respond better and more quickly in the event of an incident involving their data.

Phase 4 is focusing specifically on the data to ensure it has the proper safeguards in place (e.g., encryption) so that it is protected even if an adversary exfiltrates it from an agency network.

OTFL: Previously you stated that DHS is going to continue forward with shared service efforts as well helping the non-CFO Act agencies protect their environment using cloud services. Can you elaborate?

Kevin Cox, DHS: The CDM Program has established a Shared Service Platform in the cloud for the Non-CFO Act agencies. The Shared Platform approach provides these agencies with CDM Phase 1 and 2 capabilities for their network environments. The information from these CDM capabilities is then sent to individual agency dashboards in the Shared Service environment. Information from the agency dashboards is then reported to the federal dashboard.

OTFL: Is there an additional topic important to government management , but we haven’t focused on?

Kevin Cox, DHS: One question to consider is, “How is the CDM Program keeping up with ever-evolving cybersecurity threats?” Working with the .gov Cybersecurity Architecture Review (.govCAR), the CDM Program is in the process of layering in threat information to help in prioritizing initiatives at the agencies and identifying the most effective protections for agency systems. The CDM Program will also work closely with agencies to support them in securing their high value assets.

OTFL: One final question: In your role at DHS, what gives you the greatest satisfaction? What excites you each day?

Kevin Cox, DHS: I feel fortunate to be in a role where I can daily work with and support agencies to better protect their critical mission data and systems. Our federal data and systems are under attack second to second and we need to stay in front of that threat to ensure we can protect all of the data and information the federal government manages on behalf of its citizenry. Through the CDM Program, we are helping agencies get the cybersecurity capabilities and processes in place to ensure that data and information is as secured as much as possible based on the risk.

I also am fortunate to get to work with such a great team in the CDM Program Management Office.