The Continuous Diagnostics and Mitigation (CDM) program is looking to give agencies a cyber hygiene score, redesign its dashboard, and tie the program together with other cybersecurity efforts, said Kevin Cox, CDM program manager at the Department of Homeland Security (DHS).
During FCW’s Big Issues: CDM Conference on Wednesday, Cox detailed the new Agency-wide Adaptive Risk Enumeration (AWARE) algorithm and how it will keep agencies accountable for their cyber hygiene.
“What AWARE is, is similar to a credit score,” Cox said. “It’s looking at a couple of key variables, and then assigning a score to that agency to help understand how that agency is doing overall with that cyber hygiene process. By looking at the total number of endpoints against the score, we can come up with a per-endpoint average, so you can look agency by agency and see how each agency is doing compared to the other agencies, and we’ll be able to have a scale as to what agencies are doing well, and where they might need additional support.”
Cox noted that his office is working to operationalize the score over the next two quarters, and expected AWARE to be fully in production at the start of fiscal year 2020. With all 23 CFO Act agencies reporting to CDM, each agency should be able to receive a score, potentially opening the door for FITARA scorecard inclusion. Before AWARE can be deployed, Cox noted the need to verify and work with agencies on data quality and verification from sensors, a problem that has unfortunately led to a snag for the CDM program office.
“Just to be open and candid, with all of that data coming in, we’re working through some performance issues to get that optimized as much as possible. We’re taking a look at the overall dashboard architecture to make that data as accessible as possible to the agencies, so that’s part of that operationalization process,” said Cox.
He noted that the program office has issued a recompete of the CDM dashboard.
“We’re looking at it as a dashboard ecosystem. Today, our dashboard architecture is just a vertical, from the sensor, up through the data integration layer, to the agency dashboard, to the Federal dashboard. What we want to do is optimize that data for the agencies to make that as valuable as possible, so we’re looking at other tools we can plug in, really focusing around that data integration layer,” said Cox.
Looking at CDM’s longer-term goals, Cox noted his desire to integrate with other DHS cybersecurity programs.
“We’re working very closely with the NCCIC [National Cybersecurity and Communications Integration Center], working closely with the National Cybersecurity Systems Protection team, the EINSTEIN team, the high-value assets program team to really tie all of these different solutions together to really help ensure that the Federal.gov environment is properly protected.”