The Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program is aiming for big progress in Fiscal Year 2021 on upgrading agency and Federal-level dashboard infrastructure and improving the quality of data coming from agency network sensors, along with continuing to get a better handle on how agencies employ cloud infrastructure and cloud security.

That was the message from CDM Program Manager Kevin Cox, who talked about program objectives Sept. 29 at a virtual event organized by Federal News Network.

Making progress on the program’s ongoing dashboard infrastructure upgrade “really opens everything up for us from a scalability viewpoint,” Cox said. “And it opens things up for agencies by ten-fold, or even 100-fold,” he added. The new dashboard infrastructure, Cox said, will “help agencies with risk management, getting in front of risk, and understanding risk.”

Dashboard infrastructure, and getting better quality data up from agencies to the Federal level “are two big things for FY2021 … to really achieve the promise of CDM,” the program manager said. On the latter point, he said, “we want to ensure that the quality of the data coming up from the sensors is there, and then really operationalize the data” to help agencies better understand their security posture.

Cox credited the program’s DEFEND contracting vehicle with paving the way for agencies to continue to make progress on CDM deployments.

“With DEFEND, we have a vehicle to keep everything moving forward and fill any remaining gaps” for agencies, he said. Cox said the CDM program knows that agencies won’t be replacing all of their infrastructure at once, and that the DEFEND task orders are geared to deliver the flexibility that agencies need in that regard.

With more Federal agencies turning to cloud services – and those services increasingly proving their worth as most Federal employees have worked remotely for much of this year – understanding cloud security better in the context of CDM was also a hot topic for Cox and other agency officials speaking at this week’s event.

James Saunders, CISO at the Small Business Administration (SBA), talked about his agency’s heavy reliance on cloud services, and how the CDM program has helped to integrate with those. “We don’t have a monopoly on cloud- based security tools,” Saunders said, but integrating those tools “around CDM really helped sharpen our saw.”

“When we saw attacks, we were ready to respond in seconds and minutes, rather than hours and days, and that’s a huge benefit to CDM,” Saunders said.

The SBA CISO said the CDM program especially proved its worth during the coronavirus pandemic when SBA was tasked to quickly expand staff and distribute of hundreds of billions in emergency Federal aid to businesses. “When we needed surge support, Kevin and his team helped us out,” Saunders said.

Gary Stevens, Executive Director of Information Security Policy and Strategy at the Department of Veterans Affairs (VA), said the CDM program has “really evolved and matured” in recent years, and has been essential in VA’s mission to protect veterans’ data at an agency whose size and scale is “enormous.”

“CDM has been essential to our ability to gain visibility on what is happening in our environment,” Stevens said. “We are confident we are seeing everything in the environment,” he said, adding, “protecting veteran data, that’s really what CDM helps us to do.”

Cox said that both SBA and VA are “showing the promise of the CDM program.”

In the case of VA, he noted the agency’s very large footprint, and said, “we really wanted to work with Gary and the team to get full visibility … so they could get in front of the adversary and get in front of the threat.”

And he said SBA’s heavy use of cloud services is giving the CDM program more insight into cloud security and how the program works in that regard. “SBA is a great partner to work with on how we move CDM into the cloud, and how we work with CDM in the cloud,” Cox said.

“SBA has been a great partner in helping us really chart out the right ways to partner with the cloud service providers,” Cox added.

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.