Budget, workforce challenge CDM implementation

Vendors say the Continuous Diagnostics and Mitigation program must evolve to deal with emerging threats.

Shutterstock image (by Maksim Kabakou): pixelated shield, protection concept.
 

Industry representatives told a House panel on Jan. 17 that a key cybersecurity program aimed at protecting federal networks was making progress, but budgetary and workforce setbacks are contributing to implementation delays.

The four-phase $6 billion Continuous Diagnostics and Mitigation program is designed to give civilian agencies access to tools and personnel to secure networks, identify trusted users and monitor network traffic.

The dearth of qualified cyber workers has a "tremendous impact" on CDM's implementation and effectiveness, Trey Hodgkins, the Information Technology Alliance's senior vice president for federal business, said during the hearing of the House Homeland Security Committee's Cybersecurity and Critical Infrastructure Subcommittee.

"It's a challenge for both the federal government and contracting employees to be deployed when they can't get their clearances through that process in a timely fashion," he said. "Imagine what we could do if we could get 10 percent" of the more than 700,000 backlogged applications cleared, he asked.

Hodgkins also said losing workers to the private sector was another contributing factor to the talent shortage, adding that there needed to be an effort to lure tech workers into the government.

Additionally, money was a central issue with many agencies lacking the resources to employ CDM. Hodgkins told Congress that agencies seemed to rely on resources Congress allotted to the Department of Homeland Security to trickle down and be used to implement CDM activities. Most civilian agencies receive CDM funding through DHS, but it doesn't cover the total cost of implementation.

"The inconsistent budget process has also contributed [to delays] because agencies cannot begin to spend dollars until they're appropriated," he said. "And if they're planning their execution, their identification of contractors, their identification of which tools they need … and we end up with a fiscal year where only five months are actually appropriated, it's too short of a time frame to effectively complete that, deploy the activity and get the dollars obligated for contractors."

Budget and workforce shortages aside, CDM vendors said they believe the program has provided a solid foundation for federal cybersecurity going forward.

"It's not a clear cut issue," Frank Dimina, the federal vice president for software company Splunk, which has a DHS CDM contract for data integration, told FCW following his testimony Jan. 17. "The early stages, we had to make some very complex decisions. They have to set up the architecture and the design.… That was a heavy lift, and now that is done we're bullish."

Dimina said that while CDM has had setbacks -- Phase 1 turned up some surprises when some agencies learned they had more devices connected to their network than anticipated -- there's more to be done.

"CDM has made great progress -- it's a foundation," he said, "and there are opportunities to do more.… We're at the halftime," and can look back and re-evaluate to see what's needed to go forward.

Dimina said CDM has significant data analytics potential that could help threat and vulnerability hunters and make federal systems more secure.

"That exact same data that is being collected [for risk awareness and risk scoring] without being changed, has extreme operational value," he told FCW, and "can make [the government's] job easier and more efficient."

Subcommittee Chairman Rep. John Ratcliffe (R-Texas) had bigger concerns about the potential exposure of the federal government to cybersecurity risks.

"The rapidly evolving threat landscape of the modern information age means that government must change its processes to ensure that we aren’t gathering more data than we can protect," he said in his opening statement.