into their budget the funding to cover the costs once they’ve transitioned over to the agency,” another said. “We’ll just have to see how that plays out.”
Participants also wondered wheth- er dedicated CDM appropriations will continue beyond next summer and whether they will continue to flow through DHS.
A desire for ongoing funding seemed unanimous, but one executive noted that not everyone loves the current funding model. “As a buyer of CDM services, my hope is that OMB decides to centrally fund a large portion of it because then my interagency agree- ment with DHS to receive that fund- ing and place it on contract is a really simple pathway,” he said. But CIOs and other agency leaders might be “hope- ful that not all that money goes to the CDM program.”
“You want to have access to that money because it’s ultimately your responsibility as the agency head to provide cybersecurity,” he added. “You may want to have some discretionary spend where you can do a portion of CDM, a portion of some penetration testing and a portion for some other purpose.”
Security is more than CDM
Participants whose agencies are early in the process expressed concern that CDM implementation could conflict with or devalue other efforts. One offi- cial said her agency has been following the security controls in the National Institute of Standards and Technology’s Special Publication 800-53 for a long time, and now she is wondering how well those efforts will mesh with CDM.
A DHS participant said the CDM program works closely with NIST, and NIST has tested “a working CDM implementation from implementation of sensors down to the endpoints, fed up through the agency dashboard [and] up to the federal dashboard.”
Full coordination is still a work in progress, he added, but a planned part of CDM’s Phase 3 “is mapping all of the 800-53 controls [and] everything that falls in the cybersecurity framework against the requirements that we estab- lish with CDM.”
Other officials said some agencies must also deal with the pride of owner- ship that security teams feel. “They’re very proud,” one participant said. “When you’re doing the initial intro- duction to CDM, you get feedback like, ‘We already have tools in place. We’re doing this, we’re doing that.’”
He recalled a conversation with a network engineer who was concerned because his team had “just deployed something that we spent a million dol- lars on. [I said,] ‘I’m not asking you to get rid of it, but this is what we’re going to have in addition.’”
Figuring out how CDM fits into an agency’s broader security strategy is essential, another participant said, because CDM doesn’t come close to doing everything.
“You need to remember that CDM, in a nutshell, only provides you with a baseline configuration of your environ- ment,” the security expert said. “Mak-
ing sure that their hardware is secure is one level, but monitoring what actu- ally is coming in and what’s leaving the agency, I think this is more important.”
CDM “is one aspect of the security,” he added. “It’s not the whole thing.”
Sharing lessons when one size won’t fit all
Participants from customer agencies raised another friction point: They lack a good sense of how other agencies are approaching CDM, though they also said cookie-cutter approaches are unlikely to succeed.
“We need to do more homework before the contractors can start,” one official said. “Each agency has its own requirements, culture, size. It’s not one- size-fits-all, unfortunately.”
Those who’ve worked on CDM at multiple agencies agreed. As one exec- utive said, “Those types of processes in terms of change control, the speed at which the changes have to be made and the communications around all that have introduced problems, agency by agency, throughout the whole fed- eral space.”
NPPD is collecting lessons learned at the program level, and “in terms of
April 2017 FCW.COM 25