Agencies have big information gap when it comes to CDM

A new survey from the SANS Institute claims there is a lack of awareness when it comes to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program, with increased staffing, training and word-of-mouth needed for meaningful progress.

The survey, which was given to federal, state and local security professionals, found that the only people with working knowledge of the program were chief information officers, chief information security officers, chief technology officers or other high-level security directors.

“Although the formal DHS outreach to CIOs and CSOs at the top of federal government departments and agencies has been extensive, the ‘trickle down’ of information to security administrators, analysts and operations staff has been limited,” the report reads.

CDM A visualization of the continuous diagnostics and mitigation process. (Courtesy of DHS)

One of the more glaring discoveries was that awareness and support of CDM among inspectors general was low, coming in at five percent of those surveyed. Given how CDM plans to move agencies away from yearly audits, SANS said it’s critical for IGs to better acquaint themselves with the program.

“It’s not good enough just to buy tools,” said SANS Institute’s Tony Sager. “Agencies want to enforce this whole feedback loop.”

The CDM program was established in 2012 to help federal, state and local governments move away from the expensive practice of re-certifying systems every three years. DHS, along with the General Services Administration, hope to increase security through CDM by allowing for a better picture of situational awareness of cyber threats.

Another negative the survey uncovered is that the respondents have yet to deploy configuration management — a key function of CDM — despite the necessity to have it work with vulnerability management.


The survey explains:

“Vulnerability management is essentially used to detect failures in configuration management, such as missing patches, misconfigured  systems and so on. When configuration management processes are improved, security goes up and vulnerability assessment critical findings go down. This is particularly important in the configuration management of security controls, such as firewalls, intrusion prevention systems and others.

“It is impossible to manage the configuration of assets you are not aware of. Historically, part of the issue at federal agencies has been that the distributed nature of IT systems and governance makes it hard to deploy asset management tools and processes that get full coverage. Those issues need to be addressed as part of the services task orders to make effective use of CDM products and technologies.”

SANS said while government budgets are a continued hurdle for agencies looking to implement CDM, more needs to be done in terms of information deployment and staffing if adoption is expected to speed up.

“Although the DHS outreach has reached the top-level personnel at the majority of government departments and agencies, how-to information has not reached the operational levels to the same degree,” the report found.

Among those surveyed, 48 percent said insufficient information was the top barrier for their use of the program, outweighing budget concerns (40 percent) or a gap in personnel skills (36 percent).


The survey highlights ways for agencies to move forward, using the Department of Health and Human Services as an example of how agencies can train their staff. During a recent HHS quarterly technology summit, the agency held multiple sessions dedicated to CDM.

After issuing a number of steps needed for progress — increased awareness, better guidance for inspectors general and added incentives — SANS points out that implementing CDM will be easier once agency managers embrace the shifting culture.

“Change anywhere is hard; significant change is that much more difficult–and driving significant change in government is exponentially harder,” the report reads. “Government security managers need more than access to products and services. They need more information, guidance and raining at the how-to level instead of at the programmatic level.”

You can read the full report here.

Latest Podcasts