'Evolving' CISA program helped agencies quickly respond to recent cyber incidents
CISA’s Continuous Diagnostics and Mitigation program uses close collaboration with federal agencies to identify and respond to cyber threats, including last month’s MOVEit breach.
The Cybersecurity and Infrastructure Security Agency said on Friday that the “evolving” capabilities of its Continuous Diagnostics and Mitigation — or CDM — program helped streamline responses to several recent cyber incidents affecting federal agencies, underscoring the importance of enhanced cyber coordination efforts across government.
Michael Duffy, CISA’s associate director for capacity building, wrote in a July 21 blog post that the CDM program was used “as part of a broader response” to two recent cyber incidents: the MOVEit breach and a “widespread” email security gateway — or ESG — exploit.
In addition to affecting more than 20 million people across the world, CISA told reporters last month that the breach — which involved a vulnerability in Progress Software's MOVEit file transfer service — impacted multiple federal agencies.
Using CDM, Duffy said CISA personnel were able to analyze “near real-time agency dashboard reports to coordinate targeted notifications” in response to the MOVEit breach “within minutes.” Agency officials were also able to use the CDM endpoint detection and response platform “to directly access the [impacted] agency’s environment” and look for “instances of threat activity” to address the ESG exploit.
In a LinkedIn post highlighting the program, CISA Director Jen Easterly noted that a federal cybersecurity effort like this “typically only gets attention when things go awry,” but that the agency and its government partners are leveraging CDM “to respond to cyber threats in a coordinated manner.”
CDM was first launched by the Department of Homeland Security prior to CISA’s formation in 2018, but Duffy said that greater agency collaboration over the past several years has positioned the program as “the U.S. government’s cornerstone for proactive, coordinated and agile cyber defense of the federal enterprise.”
The program’s enhanced cyber defense role is due, in part, to the creation of agency-specific CDM dashboards that automatically share data with CISA’s CDM federal dashboard, which has helped to streamline coordinated responses to identified cyber incidents.
“The CDM dashboards are not just a tool for measuring progress or visualizing risk — CISA’s cyber defense operators are increasingly turning to the federal dashboard to aid in incident response while agency cyber leaders and practitioners alike are beginning to shape operational and strategic activities based on the evolving ‘current state’ data provided by CDM,” Duffy said.
He noted that the chief financial officers of 23 agencies “are now sharing cyber risk information with CISA on a continuous basis through their CDM agency dashboards.”
Duffy credited the program’s evolution to “several major cyber events over the years that led to new and expansive authorities, increased demand for centralized services and a resounding call to strengthen government data protection on behalf of the American people.”
This included, in part, President Joe Biden’s May 2021 executive order on improving the nation’s cybersecurity, which he said “drove substantial changes to increase CISA’s operational visibility of granular data to the CDM dashboards and advanced our relationship with agencies.”
CISA is also poised to further expand the CDM program moving forward, with Duffy writing that the agency will be sharing additional details “in the coming weeks” about how it plans to “advance cyber defenses to ensure our nation’s resilience to cyber threats” in the next decade.