Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox today discussed the possibility of a higher funding baseline for the CDM program in Fiscal Year 2022 that would allow the program through its DEFEND contract to tackle more security work for Federal agencies at a faster pace.
Speaking at MeriTalk’s CDM Central virtual conference, Cox said his office was continuing to work with leadership at the Cybersecurity and Infrastructure Security Agency (CISA) “in terms of waiting to see from an FY 2021 perspective where the final budgets end up … We will continue to monitor that.”
MeriTalk reported earlier this week that the CDM program is currently facing a significant funding shortfall relative to FY 2020 budget because of higher demand for its services especially during the coronavirus pandemic.
Asked at today’s conference about the funding implications of higher demand for CDM services, Cox talked about the goal of reaching a higher funding “baseline” for the program in FY 2022 and beyond.
“In terms of FY 2022 and beyond, one of the efforts we have had underway since we implemented the DEFEND acquisition approach … which gives the program a lot of additional flexibility and broadens out how we can support the agencies and provide additional value … is working within the department to get the program on a new baseline,” Cox said.
Achieving that new baseline, he said, would allow the program office to “take advantage of that flexibility in the contract, and be able to bring in additional funding for new initiatives,” Cox said. Among those initiatives, he listed endpoint detection and response (EDR) capabilities, and “additional protections out in the cloud.”
Funding flexibility would also be useful, Cox said, “when an agency has identified a critical gap where the CDM program would have the flexibility to bring in additional funding to support the filling of that gap.”
“That effort continues with the program working with our leadership,” Cox said. “We will continue to work closely with OMB [Office of Management and Budget] and with the Hill to be able to fully utilize the broad set of capabilities in the contract … to really help the agencies more and more to secure their networks and manage their risks,” he said. “That effort continues on into future fiscal years.”
Illustrating the scope of funding issues during the COVID-19 pandemic, Cox explained how his office was called on to help out in a pinch. “We had a request to ramp up some additional support for agencies involved in COVID response,” he said, in order to accelerate CDM capabilities at those agencies in the face of an increase in “adversarial activities” targeting the agencies. “Based on the flexibility of the DEFEND task orders, we were able to shift some funds over to support that acceleration at a number of agencies,” Cox said, while at the same time continuing the program’s regularly planned work.
The key, he said, is balancing budget against “the many streams of work we have ongoing or could do … and make sure that we stick to our priorities” including dashboard installations to better operationalize data.
FY 2021 Priorities
Cox also recapped a range of near-term program priorities that he has laid out in recent presentations, saying that the program office hopes to complete in FY 2021 the rollout to all major Federal agencies – plus smaller agencies via a shared services platform – of enhanced dashboard capabilities.
The new generation of dashboards, he said, “will allow agencies to support full operationalization of CDM data … and give Federal leadership that capability as well.”
On the dashboard front, Cox said four agencies have enhanced dashboards deployed, with eight more agencies laying the groundwork to get them.
“In FY 2021, we will be able to realize the promise of CDM with getting real-time data fed up to the dashboard … so agencies can understand all of their assets, their vulnerabilities, and more quickly make decisions around risk management,” he said, calling the FY 2021 target “an aggressive goal.”
A perennial priority – filling gaps in agencies’ abilities to understand their users and assets – is something “we are really leaning into” for FY 2021 and into FY 2022, Cox said.
Pilot Updates
The CDM program office is also continuing to undertake a range of cloud security and mobility security pilots with Federal agencies. The goal on the cloud security pilots, he said, is to work to identify “the right cloud security architecture for the Federal dot-gov … and to make sure they get from cloud service providers the same visibility into the dashboard as they would from on-prem” systems.
“The real key there is to make sure agencies understand what they already have in the cloud, and identify additional processing in the cloud … to bake in the cybersecurity visibility and tools and security operations center capabilities so that agencies have the ability to respond to any incidents they see,” he said.
Cox said the end-goal was much the same for mobility pilots – getting the same visibility as agencies have with on-prem networks. He said the program office is working with one Federal agency on that front, and planned to broaden that work “over the coming fiscal years.”
On another central mission – protection of agency high value assets (HVA) – Cox said the focus involves trying to better understand and protect those assets, which he indicated may deal with a lot of personally identifiable information (PII), and/or “life or death” missions. Over the past several years, he said, the program office has developed “a good understanding of what systems are most important.”
The next step in HVA protection, he said, is designating those that are “most critical – what are the tier one systems” and then working with system owners to get protections in place. He said the program office was working with one agency that has “multiple HVAs.”
“Today, we have a good handle on where those HVAs are … so it’s a matter of identifying with agencies which ones need more protection,” and getting resources to them through the DEFEND task order to protect them, or in some cases, modernizing systems with new architectures that have better protections in place,” he said.
For more on CDM challenges and opportunities, check out MeriTalk’s study on defending high-value assets, and for a look at how the program’s secret sauce is prepared, please enjoy the accompanying CDM Central video.