Industry Insight
BY MARK WEATHERFORD AND PAUL DOHERTY
Why CDM vendors need more flexibility
The first two phases of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program have helped government agencies deploy foundational cybersecurity solutions for real-time visibility and continuous network monitoring to identify vulnerabilities, reduce risk, ensure compliance and respond to threats.
DHS and the General Services Administration deserve tremendous
credit for implementing
a technical program of
this size and complexity. However, the first two phases barely bring the government to the starting line of the cybersecurity technology race. The private sector and U.S. adversaries are already well past that point.
The most important phase of the CDM program is yet to come. Under Phase 4,
the government will tackle the data security problems of a mobile workforce and distributed cloud computing environment.
Government employees increasingly operate from remote locations and often connect directly to cloud- based services, business applications and even data storage, where traditional network perimeter monitoring is less effective and contributes little to
the overall infrastructure visibility of organizations.
As our colleagues Michael Chertoff and Jim Pflaging noted recently, “Identity is
a fundamental component of an overall strong federal network security posture.”
Agencies must prioritize solutions that monitor and protect users and data on both physical and virtual endpoints, as well as multi-cloud infrastructures where software-as-a-service
security vendor community to maintain up-to-date technology solutions and be proactive in planning for future threats.
The vendor community needs to rapidly respond to changes in the threat and vulnerability landscape with appropriate security tools, but the government’s acquisition process remains unable to maintain the same kind of pace. Although the government has taken a
process are minimized. We don’t see vendor variance as an issue, so long as the data collected and reported to DHS is consistent and actionable. Vendor variance in some cases represents an opportunity for competition to determine the most effective technology product vendor.
Agency visibility into product effectiveness will expedite the procurement process between the
30 GCN APRIL/MAY 2018 • GCN.COM
The process has become too cumbersome for government, CDM prime contractors and the security vendor community to maintain up-to-date technology solutions.
applications increasingly reside. CDM security solutions must work hand in hand with identity solutions to enforce broad visibility through a zero-trust, identity-aware strategy that protects data and governs its use to ensure seamless access for a distributed workforce.
The original CDM blanket purchase agreement set
up an approved vendor/ product guide and called for continuous updates. Although the BPA began with the right intentions, the process has become
too cumbersome for government, CDM prime contractors and the
step in the right direction
by transitioning the CDM BPA under the Alliant 2 contract vehicle to expedite procurement, we believe it should go further by giving prime contractors the flexibility to architect their own solutions and choose technologies while still maintaining rigorous testing for appropriate security controls.
Today’s cybersecurity ecosystem increasingly requires a platform approach. The security vendor community is prepared to respond, provided the disincentives for engaging in the government procurement
government and contractors as they engage in the massive data security undertaking with CDM Phase 4.
— Mark Weatherford
is senior vice president and chief cybersecurity strategist at vArmour, former deputy undersecretary for cybersecurity at DHS
and a senior adviser to
the Chertoff Group. Paul Doherty is an associate at the Chertoff Group, where he advises venture-backed cybersecurity startups and global, public technology companies on market trends, policy and growth strategies.