CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed?

cybersecurity review

By Tim Jones and Alison King, Forescout

The Cybersecurity and Infrastructure Security Agency (CISA) earlier this year announced that the next phase of its Continuous Diagnostics and Mitigation (CDM) program would broaden to include non-traditional technology, such as Operational Technology (OT) and the Internet of Things (IoT), in 2024.

At its 2012 launch, CDM was focused on gaining centralized visibility of traditional IT assets across civilian agencies. Since then, CDM has broadened its scope to include assets in mobile and cloud platforms, laying the groundwork for extending parity in visibility across increasingly complex environments.

While it is not news that the entirety of the enterprise needs to be taken into consideration for risk and exposure programs to be successful in the age of zero trust, it is momentous that a program as large and influential as CDM (which spans 92 federal agencies and boasts 3 million endpoints) is set to embark on securing non-traditional technology assets. So, why now, and what will it take to overcome the challenges inherent in understanding, interacting with, and protecting OT?

Why now?

While the security risks of non-traditional technology are not new, three significant factors have now come to a head, creating the perfect storm to prompt CISA to declare that the next phase of CDM will incorporate OT and IoT. Those factors are A) the knowledge gleaned from the first part of CDM, B) the known increase in threats to critical infrastructure, and C) the evolution of cybersecurity policy.

  • A) The knowledge gleaned from the first phase of CDM: When CISA set the initial parameters of CDM to end at traditional IT, there was recognition that the network and the endpoints extend beyond the security parameter. Through CDM’s initial exploratory work, CISA now has a dashboard with a single holistic view of what is going on across all civilian networks. Simply put, the more they see, the more they know what they don’t see on their networks, and these assets represent a growing risk that is no longer acceptable to ignore. As they build out this visibility, CDM program managers can peek at an item on IoT and realize that a subset of assets have no homes, aren’t mobile platforms, and aren’t part of the organization’s cloud deployment. This surfaces new assets and devices that may be seen and could be at risk for vulnerabilities.
  • B) Increased threat to U.S. critical infrastructure from adversarial nation-states:In January, the FBI warned about the growing threat of Chinese Communist Party (CCP) cyberattacks against U.S. critical infrastructure. This is just one of many recent examples of state-sponsored malicious actors targeting civilian critical infrastructure.
  • C) Growing cybersecurity policy: Underlying CDM’s evolution to broaden its scope to include OT and IoT is, of course, policy. The amount of cybersecurity policy and regulation that has come out under the Biden administration is unprecedented. In December 2023, the Office of Management and Budget (OMB) issued a memo outlining the 2024 reporting requirements in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). The document outlines a mandate that created a more holistic perspective on zero trust; all agencies are required to submit their annual Chief Information Officer and Senior Agency Official for Privacy metrics as well as annual reports from their respective inspectors general by Oct. 31, 2024

What will it take to make CDM’s evolution to include non-traditional technology feasible?

One part of the challenge is that OT and IoT are built differently from IT. Non-traditional technology is often assets that don‘t have agents or come from a managed service, which means a lot of custom operating systems. Another part of the problem is the abundance and longevity of non-traditional assets in federal networks. A third challenge is that broadening the scope of CDM’s purview increases the (already large) amount of asset data to track – ensuring the quality of the data is critical.

In preparation for this evolution, it is important to leverage highly scalable technology to handle the influx of new data elements. One single source of trusted data and a solution that can address all three categories of IT, IoT, and OT in a single pane of glass becomes even more critical for the successful future use of artificial intelligence (AI) or machine learning (ML) capabilities, which will depend on clean, structured data.

Once a single source of trusted data has been validated, the first step is identifying all system components. Next is prioritization of what to conquer first, depending on each asset’s risk factor, leading to the creation of a tailored zero trust strategy.

The strategy will be shaped by exploring questions such as: How large is my platform? What is on it? What’s the risk factor of each component? Once the risk factors have been prioritized, agencies will need to take the more challenging step of first making sure that the riskiest assets are not internet-exposed and then coming up with a plan to replace them.

There must be some level of accountability and manageability around those assets in the move towards zero trust, including questioning: What services are on them? What functionality they provide? What kind of data will be moving around inside the enterprise? Those are all going to be components of this evaluation around IoT and OT that CISA is calling out.

Ultimately, for the evolution of CDM to succeed, we need to foster a culture change – transitioning from blanket acceptance of the presence of, for example, the telepresence-connected video camera in the conference room to the exploration of: What’s running on that system? Is that part of my network? Have we segmented that device into a safe environment?

As we start to report back the types of assets coming into the enterprise, we need to dig beneath the surface to determine if they are going to satisfy zero trust requirements.

Tim Jones is Vice President of Public Sector Systems Engineering, and Alison King is Vice President of Government Affairs at Forescout.