CISA CDM Solution to Address Another Cyber Blind Spot in the Cloud

From the very beginning, the goal of the Continuous Diagnostics and Mitigation program was to find blind spots in cyberspace.

First, CDM focused on the fundamentals of cyber defense. The Cybersecurity and Infrastructure Security Agency program sought to ensure agencies knew who and what was on their networks. Then, CDM sought to illuminate cyber threats across the enterprise and government through dashboards.

Now CDM is shining a light on cloud infrastructure.

“We can address infrastructure as a service pretty directly as a logical, if not specific, extension of what we do for traditional assets. But we’re pretty much blind if we try to take the tools we have today and apply them to platform as a service and software as a service. It just doesn’t work. It’s not applicable, so we’re kind of blind,” Matt House, CISA’s CDM program manager, told Ask the CIO. “We also have to step back a little bit in terms of our definition of asset management from a software as a service perspective. It sounds to me like just data protection. I don’t need to know the implementation details. We’re in the early stages of working on that.”

House said CDM is starting with the “easy solution” of IaaS, which is identifying and securing cloud assets, and then using lessons learned to move to PaaS and SaaS instances.

The first step in this effort is to revisit how CDM defines assets. When agencies had most or all of their equipment on-premises, defining routers, switches or servers was relatively easy. House acknowledged that even today, more than a decade later, not every agency has 100 percent of its on-premises assets identified and monitored.

Leveraging Existing Cloud Monitoring Management Tools

“Then we have to think about what tools or capabilities we want. So if I pick cloud in particular, the delivery model is one of the main indicators of how we need to approach a particular subclass differently. That’s going to lead us to take different approaches and different tool sets,” he said. “These tools often evolve in place. They get better, so I think there’s a lot of richness that we can still tap into in those tool sets.”

CDM has invested millions of dollars since 2012 in cybersecurity tools and capabilities for federal civilian agencies. House said many of them, such as endpoint detection and response (EDR) or asset management software, have the potential to help agencies address cloud blind spots.

This “make more of what you have” approach is part of the evolution CISA has undergone at CDM over the past several years.

“We can either leverage (EDR) or extend it or fill the gap, rather than trying to think of it as every new problem space that needs a new CDM solution funded from scratch,” House said. “I would say that’s the reason we’ve made progress on EDR relatively quickly compared to some of the other options, because we’ve taken a gap-filling approach. By definition, that requires us to work a little more closely with agencies to understand very clearly what they have, rather than telling them what they need. We understand that collectively.”

Expanding the use of existing cyber tools

House provided several examples where a collaborative approach has worked.

In one case, an agency decided a few years ago that its EDR tools were good enough that it didn’t need CISA’s help. But then last year it decided it wanted to move away from its current EDR platform and move to a more modern one.

The CDM program team presented several alternatives and use cases from other agencies that have recently installed EDR tools.

“We helped them by sharing a lot of what we had learned over the last three years—many of them in the trenches—to guide their analysis of alternatives. It became a very natural and collaborative decision in the sense that they wanted to know what we had learned along the way. We didn’t have to influence them,” House said. “By sharing that information, we had a high level of confidence that they would choose a tool that we were comfortable with, that met their enterprise needs, and that was compatible with other CDM tools.”

In another case, CISA worked with an agency that had already implemented a solution, but it was not fully implemented across all enterprise units.

CISA helped the agency achieve nearly 100 percent coverage in about 14 months.

“We subsidized the licensing costs by helping them with their work, connecting with them and providing them with the professional services they needed. It was much more than just helping them decide which tool to use,” House said.

We are entering a new era of CDM

One area where CDM continues to standardize is the federal control panel. House said 94 civilian agencies now submit data to the platform hosted by CISA.

“Generally speaking, I think the median is well over 60% to 70% of all assets that fall within the definition of that technology class. And that’s growing for us,” he said. “We’re looking at these things very closely across agencies and across implementations. I’m very closely involved in our overall data quality efforts, our data quality management efforts, because just getting the data isn’t good enough, you have to have confidence in the data. It’s very much a three-party effort. The CDM program management office, the integrator and the agency have all worked very closely together and need to do that.”

In the coming year, CDM will expand the scope of data fed into the dashboard beyond traditional IT assets to include mobile devices and even IaaS data.

“Agencies should be using the same visualization tools so that we’re all working on the same page. That data sharing process has shrunk over the last year because of some improvements in the dashboard infrastructure. It used to take us six months to get it out there because of the way we had to deploy packages and update all the dashboards individually,” House said.

“Now we can pump them out in less than a week or even a few days, which makes a big difference in terms of targeted response. The response to that is that the dashboard has grown in value to CISA, becoming a go-to tool for both proactive risk management and incident response and coordination.”

All of these ongoing activities are part of the ongoing evolution of CDM.

“CDM today is not the same CDM that evolved over the last decade. We stood on the shoulders of the work that we did over the last 11 years, and I wouldn’t trade it for anything. But we’ve really entered a new and exciting era,” House said. “CDM is no longer just a better trap for risk management and compliance—or compliance management. It’s really an operational tool for the agency and for CISA as a whole. It has a significant impact on our ability to proactively manage risk and be even more effective in responding to urgent threats.”

To learn more about CISA’s CDM program and its future plans, download the eBook sponsored by Booz Allen Hamilton.