Patrick Howard is Program Manager for CDM & CMaaS at Kratos SecureInfo, and is former Chief Information Security Officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. (Courtesy Photo)
Have you ever gotten on the wrong Metro train? Perhaps you went to the wrong side of the platform and headed in the direction of Shady Grove when you meant to go to Glenmont?
Agencies might find themselves in a similar situation when it comes time to making decisions about their participation in the Department of Homeland Security. s Continuous Diagnostics and Mitigation Program. As John Streufert, director of federal network resilience at DHS discussed at a recent event hosted by Federal
Times, some agencies already have strong continuous monitoring programs; some have a patchwork of tools and processes that need standardization; and still others have little to no capability at all. If you haven’t carefully evaluated your current continuous monitoring capability, its level of maturity, and how to configure what you own for CDM, you run the risk of going the wrong way, wasting time, and getting lost.
For example, you wouldn’t want to find yourself in an unnecessary rip and replace deployment, realizing after the fact that that a useful continuous monitoring tool is already deployed elsewhere in the agency. IT leaders can avoid this by having a clear view of what their agency really needs, rather than accepting a recommended solution simply because it’s available at no cost. Having an information security continuous monitoring strategy may sound lofty, but as for any successful project, you need a roadmap to get you where you need to be.
Fortunately, DHS recognizes the challenges inherent in implementing a unified agency-wide continuous monitoring program. That. s why the CDM Program isn’t just about procuring products or filling a continuous monitoring shopping list. DHS’ CDM/CMaaS blanket purchase agreement provides access to services to help agencies plan and implement CDM with the least amount of disruption, pain, and cost.
Those services can begin with gap analysis to see how current technologies or capabilities within the agency. s environments can be optimized and built upon as part of an overall plan for maturing its CDM program. This will also help agencies comply with the requirements of OMB Memo 14-03, titled “Enhancing the Security of Federal Information and Information Systems.”
As a former federal agency CISO, I appreciate the challenge agencies face in trying to reconcile how the mix of tools and technologies accumulated over the years can be harnessed for CDM. Our government worldview of cybersecurity has historically been through the dual (but separate) lenses of IT operations and IT security. Continuous Monitoring as a Service (CMaaS) support can provide a fresh, objective best practice-oriented view of your current capabilities, even uncovering and evaluating tools purchased but not fully rolled out— the “shelfware” problem— for applicability to a CDM program.
This includes reviewing the current security architecture to catalog current configuration management products, as well as updating and tuning them for use in continuous monitoring. For instance, an out of date vulnerability scanner that is used every week in the same way will continue to yield poor results. These tools can be tweaked to optimize their capabilities for the CDM requirements, while also minimizing false positives and network impact. And then there are the people and processes involved in CDM. Agencies can use these services to clarify and streamline organizational roles and responsibilities, even keeping agency personnel trained and up to date on CDM best practices.
So how does this relate to the free resources that agencies may be eagerly awaiting?
DHS is wisely not taking a one-size-fits-all approach to CDM. To Streufert’s point, agencies will be grouped according to their CDM capabilities and maturity based on agency input. So if you didn’t have a gap analysis and strategy in place before responding to DHS’ foundational CDM survey last fall, your agency could find that proposed solutions do not match your requirements, may duplicate what you already have, or leave your other gaps and blind spots unaddressed.
The CDM Program is now at a critical stage where agencies can revisit their roadmaps within the next 60 days prior to task orders being issued. Agency CIOs and CISOs should double-check gaps and migration plans to make best use of what their agency already owns for continuous monitoring. While it is tempting for agencies to wait on DHS, they can be proactive, informing DHS of any changes in their requirements and plans before going down the (wrong) path.
Good planning is the key to successful deployment of CDM. A well-grounded ISCM plan can limit disruptions to normal operations, and can prevent delays in implementing tools and processes needed to mature the agency’s CDM capability.