Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox said this week that the program is placing particular focus on helping agencies better understand and architect security structures for cloud and mobility-based data.
Speaking during a July 15 webinar to discuss results from recent MeriTalk research into the CDM program, Cox delivered an overview of the CDM program, which he said broadly aims to “help agencies have a better understanding of the threat landscape and attack surface, and to help agencies protect their data better.”
Within that broader mission, however, Cox talked about the growing importance of helping Federal government agencies understand how to protect cloud and mobile-based data that extends outside the traditional on-prem network perimeter
Cloud and Mobility
On the cloud front, Cox said “we want to make sure that agencies have a better understanding of what their perimeter looks like, to the extent that it even exists … and with cloud services, to understand where their data is.”
He said the CDM program office has been working pretty closely with multiple agencies on cloud-related pilots to help give agencies better visibility and to better understand protection of their data in cloud environments.
CDM’s DEFEND task orders have been a key part of that effort in enabling the program office to work more closely with agencies on cloud and mobility. “That helps us build partnerships with systems integrators and vendors,” Cox said, adding, “then you can get a better approach to helping agencies with security in the cloud.”
He said the CDM office has also been working closely with other CISA elements – including the CTO office, the Trusted Internet Connections team, and the National Cybersecurity Protection System (NCPS) – on cloud security. That work, he said, “takes the lessons learned” from all of those organizations to “provide the right guidance for agencies, and then get the right technology in place, to ensure that agencies moving to the cloud know that their data is protected.”
“There is a lot of ongoing effort between the CDM program and those offices,” Cox said. He added he expects to continue into FY2021 and beyond.
Cox said that much the same was true of the program’s work with agencies on mobility data management and putting mobile threat technologies in place. “There is a lot more to come in both of these spaces,” he said.
Seat at the Table
He said there is a “broad need across agencies” in cloud, mobility, and zero trust security architecture,” and that his office wants to make sure it responds quickly to agencies’ needs in those areas. Part of that work, he said, is to “be at the table” while agencies are designing solutions … whether it be on prem, or as we are seeing in more cases, with the cloud.”
While CDM is not helping agencies move to cloud services, “we want to be at the table as they are formulating strategy to go to the cloud.” He continued, “Once agencies have set their strategy, we can help get the right solutions in place.”
“We want to be there from the start as much as possible, baking in security as much as possible, rather than tacking it on afterwards,” he said.
“Talk to us about new systems moving in the cloud … so we can help with solutions design,” Cox advised. “But if you already have things in the cloud, let’s talk about how the CDM program and other programs can help make sure that data in the cloud is protected.”
On the broad goal of data protection management, Cox said the program office is “working through pilots with high-value asset system owners,” and will be “looking to broaden those out over the next few years.”
Asked about a major finding of the MeriTalk research – that most respondents say agencies are integrating CDM into their overall cyber strategies rather than as a standalone component – Cox explained that the program’s foundation of network sensors helps “agency leadership and security staff understand everything they need to protect, and helps them determine criticality of different kinds of data.”
“Getting that foundational view and tying that into security operations – in other words operationalizing CDM data – helps agencies then get the right processes in place” to create better security through patching and other means, he said.
Asked about research findings that adversaries are outpacing security capabilities, Cox replied, “from a security operations standpoint, we have to assume that our adversaries are outpacing us, so that we run as quickly as we can to get the right technology and processes in place.”
“I would argue that CISA has made a huge difference in that battle against the adversary,” Cox said, adding that once agencies get the right technologies in place, “you start to change the equation” versus adversaries and allow “agencies to lean in more” and achieve better security results. “I would contend that is making a huge difference,” he said.
“But if you don’t have visibility of your environment and attack surface,” then agencies won’t be able to properly defend their networks, he said. “You need sensors giving real-time or near real-time data to do that.”
“Once you get the foundation in place and have a broader view of the environment, then you can start to bring in additional technology that gives you even better ability to identify where adversaries are on the network, and to keep them out,” he said.
“The other key piece,” Cox said, “is all of these agencies are operating in a budget-constrained environment.” He continued, “There is never as much money as you want … but we want agencies to understand they are getting the best value for each dollar they spend.”