FCWPerspectives BEYOND ‘NEW SHINY TOYS’:
 CDM grows up
The government’s ambitious cybersecurity program is entering a new phase, and IT leaders are looking forward to seeing a return on their investment
The Continuous Diagnostics
and Mitigation program, led by the Department of Homeland Security, is entering the third
of four planned phases. By this time, agencies should know what and who is on their networks and be shifting their focus to understanding what is actually happening there.
FCW recently gathered a group of cybersecurity leaders to discuss their progress on CDM, the lessons learned in implementing Phases 1 and 2, and the expectations for the new Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) set of task orders.
Challenges remain in terms of budgets and implementation. But now that the program is evolving from compliance to mitigation, many IT experts are cautiously optimistic that the government might finally be transforming its approach to cybersecurity.
The discussion was on the record but not for individual attribution (see Page 23 for a
full list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
Holding vendors accountable
Participants said implementing CDM has been a challenge, and several expressed frustration with the stan- dardized options they were given under Phases 1 and 2. They stressed the need for agencies to have more input into choosing vendors and products.
A DHS representative acknowl- edged those concerns, saying, “We have worked closely with [the Gen- eral Services Administration] on the new task order to make sure that agen- cies had a seat at the table in terms of who is selected as that new integrator preceding DEFEND. We at DHS and GSA don’t want to be selecting these integrator solutions. We want the agen- cies to be selecting them. At the end of the day, we need to make sure we’re in alignment with what headquarters wants to do, but we also want to make sure that we’re accurately reflecting the requirements down at the mis- sion level.”
Another participant added: “We set up DEFEND to be cost-plus. So we’ve built in the ability for the agency to be able to say, ‘Integrator, you didn’t come through on this, and so on this factor, we’re going to mark you down.’ We’ve had that in place for our dashboard contract, and that does make a differ- ence because the integrator wants to get that whole award value or that plus piece. And when they don’t, their lead- ers are asking, ‘What wasn’t working? We’ve got to get that fixed.’”
Many participants raised concerns
about being judged by the quality of the data they are submitting to the CDM dashboard, given vendors’ lack of consistency and the government’s shifting targets. “It was very late in the game when we learned that a lot of the requirements had actually changed,” one executive said. “When we talk about the data quality, is 80 percent accurate enough? Is 90 percent accurate enough? It all depends on the environment.”
The DHS representatives in the group said they’ve heard the data qual- ity concerns across the board from agencies. “Beyond the 80 percent and 90 percent that are in our key perfor- mance parameters and operational requirements documents, we want it to be 100 percent to the extent that we can,” one said. “So if you have a center reporting on the status of patching an endpoint, that should be reflected accu- rately at the integration layer, and it should be reflected accurately on your agency dashboard, on up to the federal dashboard.”
However, DHS and the Office of Management and Budget are treat- ing fiscal 2019 as a transition period because they know some substantial data cleanup is still needed. “When you start sending your data up to the federal dashboard, you’re not going to be immediately held to account on it,” one participant said. “Plus, in the June or July timeframe, we have the [Agency-Wide Adaptive Risk Enumera- tion] scoring algorithm coming online
 20 July/August 2018 FCW.COM