What's in store for CDM in 2019 and beyond?

The program will spend the next two years operationalizing data and building out a new risk scoring algorithm, but agencies continue to "leave the door wide open" through bad hygiene.

digital planet (ShutterStock image)
 

The Continuous Diagnostics and Mitigation program will spend the next two years focusing on standing up its new risk scoring algorithm, transitioning smaller agencies onto a shared services platform and making program data more useful and actionable for federal agencies and overseers.

CDM Program Manager Kevin Cox outlined the Department of Homeland Security's goals for the program over the next two years at a March 27 technology conference hosted by the Advanced Technology Academic Research Center.

The program's new risk scoring algorithm, AWARE, will have a "soft rollout" in October, keeping tabs on basic agency metrics like vulnerability management, patching and configuration. Down the line, Cox said, DHS wants AWARE to drill down to the individual system level. However, another DHS cybersecurity program, the Government Cybersecurity Architecture Review, which is designed to look at agency-specific vulnerabilities through the eyes of a hostile attacker, recommended the program focus on lower hanging fruit first. Cox said there's little point focusing on higher level attack vectors when "the front door is wide open" because agencies are still skimping on the fundamentals.

"If you look at the way the adversaries are trying to get in on government networks, they are doing things like cryptojacking and more advanced attacks, " he said. "But at the end of the day they're going to go at the easier targets to be able to get a foothold and then expand out and move laterally across the network."

It's the latest reminder that, for all the discussion around advanced nation-state threats and the role emerging technologies like artificial intelligence and quantum computing can play in cybersecurity, the federal government remains far too susceptible to compromise through poor hygiene.

Attackers aren't burning high-value tools when targeting federal systems. The National Security Agency apparently hasn't responded to a Zero-day attack on government systems in the last four years, largely because hackers have found plenty of success through basic attack vectors like phishing and credential theft.

"This sounds incredibly silly to say, but the basic step of verifying that you actually own the networks that you think you do is really impactful," said Marshall Kuypers, senior director of cyber risk at Expanse, a cloud and cybersecurity company based in Silicon Valley.

While AWARE is scheduled to launch in October, agencies won't have to start looking over their shoulders right away.

"The idea is we're not going to turn it on and then immediately come down and beat the agencies up because they haven't patched their systems properly," Cox said. "We want to make sure the information they're seeing is the information we're seeing, help to identify the areas where they need to put more information on and then provide support."

DHS will also spend the year pulling smaller, non-CFO Act "micro" agencies onto a shared service CDM platform. The program expects to have 19 such organizations on the platform by the end of March.

Cox said agency leaders, member of Congress and the Office of Management and Budget have all pushed for more operational data from CDM. To that end, DHS expects to award a new dashboard contract in May that will build in new capabilities around data analytics and protecting high-value data for federal agencies.