CDM increasing visibility into agencies post-Cyber Executive Order
The Continuous Diagnostics and Mitigation Program (CDM) run by the Cybersecurity and Infrastructure Security Agency is working to increase visibility of threats to networks across federal government.
Speaking with FedScoop, acting Program Manager Richard Grabowski described some of the work that has been undertaken by CISA on the program since the Biden administration’s Cybersecurity Executive Order last May expanded its mission to include vulnerability detection and response.
According to Grabowski, the program mostly focused on cyber-hygiene and risk management prior to the cyber EO, which requires agencies to ensure object-level data flows to CDM so CISA can more proactively handle advanced threats.
“That’s a big change for us because it allows us to work a little bit more collaboratively on specific incidents with agencies and provide better guidance by the amount of visibility that we can take back at CISA — do some sensemaking on it,” Grabowski said.
Agencies had 75 days from the executive order made May 12, 2021, to sign memoranda of agreement with CISA revising CDM roles and responsibilities, but 95% did so in a “very short time,” he added.
CDM received funds to help specific agencies before expanding its efforts. While Log4j attacks are “today’s fire,” they reaffirm the need to establish a governmentwide data-reporting fabric through CISA to gain a better sense of their risk posture at machine speed, Grabowski said.
Most agencies have deployed their CDM dashboards, a testament to the program’s strong participation, and Grabowski wants to finish that work in fiscal 2022.
CDM is further encouraging agencies to invest in asset management capabilities because many are experiencing data fidelity and resource problems attempting to manually implement Binding Operational Directive (BOD) 22-01, which requires them to remediate high-risk vulnerabilities from a CISA-managed catalog.
“We want to have those agency operators spending less time on manual data calls and more time on operating tools and defending the enterprise,” Grabowski said.
In light of recent BODs, CDM made slight adjustments to its Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, which gives agencies a risk score based on the number and significance of unaddressed vulnerabilities and misconfigurations. The update reprioritized vulnerabilities based on the BODs.
The AWARE algorithm won’t change significantly in fiscal 2022, the focus instead being ensuring it has complete and accurate data so it’s used by agencies.
“We’ve heard from several agencies that have more robust funds that those algorithms are producing favorable analytics for them,” Grabowski said. “It allows them to look broadly across the enterprise and choose which vulnerabilities need remediation.”
With agencies constantly reinvesting in and reconfiguring their network architectures, they need to do a better job sharing their timelines for tool swaps and code substitutions with CDM, so together they can reintegrate that tooling into CISA’s data-reporting fabric, Grabowski said.
Agencies also need to identify authoritative data sources for automated CDM reporting, have multiple tools sending data to CISA, set realistic milestones for their reporting process, and establish a working group or other governance structure to do all that if they’re highly federated, he added.
Grabowski has been CDM’s acting program manager since August, and while the first round of interviews for the “fairly visible” position — which requires strategic and technical savvy — is complete, he said he’s focused on the task at hand.
“I do think I’m in it for the long haul because I’ve already been at this for about eight months or so,” Grabowski said. “We don’t have a defined [hiring] timeline; I’ll just say that the leadership team here wants to make sure that a very thorough, fair, inclusive evaluation process occurs.”
CDM is helping agencies determine their primary defensive structure and then purchase the necessary endpoint detection response (EDR) tools to share data with the Cybersecurity and Infrastructure Security Agency.