Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps

Segment 1: Implementation of Continuous Diagnostics Mitigation

Segment 2: Tools and Software for CDM

Segment 3: The End State

It was in early 2010 that the Office of Management and Budget really began the push for agencies to move toward dynamic oversight of their networks and computers. At that time, the Federal Information Security Management Act was just a mere seven years old. For much of that time, agencies followed the guidance from OMB and the National Institute of Standards and Technology, which really were focused on creating rigorous processes and pushing compliance to meet cybersecurity goals.

But as the threats increased—think VA laptop incident, think about the attacks against the Defense Department computers by nation states, including China, and add to that the huge dependency every organization had–continues to have more than ever–on technology the need to understand the health of your networks as soon as possible in order to protect and repair them became and continues to be paramount.

Flash forward to 2012, the Homeland Security Department begins a major push to give agencies the tools and policies needed to move off of the static and toward the dynamic by issuing policy and guidance for CDM. DHS followed with a major acquisition, awarding 17 vendors a spot on a $6 billion blanket purchase agreement.

DHS along with the General Services Administration are implementing the CDM program. DHS and agencies remain in phase one of the program, and a series of task order competitions are expected in the coming weeks to provide both the technology and the subject matter expertise to meet the goal of not only collecting but using the data.

All of these efforts lead to a 2017 deadline set by OMB for agencies to move to information security continuous monitoring.

In the memo, OMB requires agencies to develop a strategy along one of three paths:

•Rely solely on internal capabilities •Rely solely on DHS •Partner with DHS

In fact, a major deadline is coming June 30 where agencies must update their ISCM strategies to perform assessments and authorizations (A&As).


Jason Miller, Federal News Radio

Jason Miller is an executive editor and reporter with Federal News Radio. As executive editor, Jason helps direct the news coverage of the station and works with reporters to ensure a broad range of coverage of federal technology, procurement, finance and human resource news.As a reporter, Jason focuses mainly on technology and procurement issues, including cybersecurity, e-government and acquisition policies and programs.


Chuck McGann, Chief Corporate Information Security Officer, United States Postal Service

Charles L. (Chuck) McGann, Jr. is the Corporate Information Security Officer for the United States Postal Service (USPS). In this capacity, he has the responsibility of securing an intranet that is one of the largest maintained by any organization in the world with over 145,000 workstations, over 45,000 retail terminals and more than 8,000 servers. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

Melinda Rogers, Chief Information Security Officer, Department of Justice

Melinda Rogers is Chief Information Security Officer at the Department of Justice in the Office of the Chief Information Officer. In this role she leads a staff of IT security specialists providing security operations monitoring and incident management, certification and accreditation oversight, as well as the Information Systems Security Line of Business team supporting the Cyber Security Assessment and Management solution. She is also responsible for ensuring the Department’s policies and standards align with Federal Information Security Management Act requirements and various applicable federal mandates. Prior to her arrival at the Department of Justice, Melinda served as Assistant Vice President for Equifax’s Fraud Prevention and Identity Verification Solutions.

Rod Turk, Director, Office of Cyber Security and Chief Information Security Officer, U.S. Department of Commerce

Rod Turk’s current position as the U.S. Commerce Department’s Chief Information Security Officer (CISO) and Office of Cyber Security Director puts him at the forefront of the government’s cybersecurity efforts. Mr. Turk manages and oversees the Department’s compliance with the Federal Information Security Management Act (FISMA) and implementation of IT security best practices.

Ken Durbin, Continuous Monitoring Practice Manager, Symantec

Mr. Kenneth Durbin is the Continuous Monitoring Practice Manager for Symantec. He is responsible for understanding CM requirements, defining Use Cases, and applying the appropriate Symantec Technologies to best help our customers implement CM. His focus includes the Standards, Mandates and Best Practices from NIST, OMB, DHS and SANS and their application to CM. Previous to this role he was the Sales Specialist for Symantec’s Threat and Risk Monitoring Group (TRMG) products. As such, he focused much of his time on the practice of Continuous Monitoring. Mr. Durbin has spent significant time talking to Federal End Users about the challenges CM presents. This experience has been combined with the knowledge of our Product Management Teams and Federal Subject Matter Experts to determine what Symantec products will be most beneficial to our Federal Customers.

Mr. Durbin has been a provider of Solutions to the Federal Government, exclusively, for the past 25 years. He has specialized on large, complex federal programs and accounts, working for companies ranging from small startups to large Fortune 500’s.