Federal CISO Grant Schneider said today that the Trump administration is busy developing implementation plans for various aspects of the National Cyber Strategy that the White House released in September 2018, and that the Continuous Diagnostics and Mitigation (CDM) program is included in that effort.
The White House policy document focuses on a number of Federal government imperatives including securing Federal networks and data through better supply chain risk management and contractor security, securing U.S. critical infrastructure both in the Federal and private sector arenas, stepping up efforts to combat cyber criminals, and taking steps to improve the U.S. cybersecurity workforce.
Speaking at MeriTalk’s CDM Central event, Schneider said that development of the national strategy was a good start, but he called that just the beginning of the process. Going forward, “it’s about actions,” he said, including developing implementation plans for various aspects of the national policy.
An implementation plan regarding CDM “is one of those,” the Federal CISO said, but added not to expect the plan to be released publicly.
Speaking more broadly about the CDM program, Schneider remarked that “situational awareness is really what CDM is all about,” and that the program aims to create understanding of “what we have today … what is in our environment … what are users doing,” and, ultimately, to “protect our data at the data level.”
“We need CDM to drive us forward on this,” he said, adding, “we’ve really come a long way” with the program.
Schneider also discussed the findings of a recent MeriTalk survey that found most Federal and industry CDM stakeholders think the program is improving Federal agency cybersecurity, but is also flagging challenges for the program in several areas including agency funding, culture, and workforce.
He said the latter findings on agency challenges were “nothing that surprises me,” but reinforced that “where we have the tools installed, we are seeing value.”
In other areas, Schneider said the administration was working with some urgency on an update to its IPV6 policy, and expects to put that out for public comment, although he did not offer a timeline. He said the issue was “absolutely critical” because it involves interoperability.
On the threats front, Schneider warned that cyber adversaries are getting better at their craft. “They are getting better tools,” and their attack skills “look like nation-states of a few years ago,” he said. “The gap is closing,” he added.