Federal agency chief information security officers (CISOs) told a Senate panel today that the security payoffs yielded by the Continuous Diagnostics and Mitigation (CDM) program are well worth the challenges that agencies have faced in implementing the program run by the Cybersecurity and Infrastructure Security Agency (CISA).

CDM Central
Inoculating against current and future hack impacts. Learn More

Please join MeriTalk on Wednesday, May 12, at 9 a.m. at our CDM Central: The Age of Cyber Defenders virtual conference featuring keynote addresses from Federal CISO Chris DeRusha and CDM Program Manager Kevin Cox, along with Federal agency IT leaders and security industry experts.

The CDM program – along with the EINSTEIN intrusion detection and blocking program – are CISA’s two main programs that aim to protect Federal civilian networks. For Federal agencies, implementing CDM capabilities is a multi-year effort that includes foundational investments in network asset and user and access management infrastructure that then yield big gains in network security and data protection management.

The CDM program and its ability to better protect Federal civilian networks have taken on a higher profile amid big cyber attacks that have made headlines since late last year, including with members of Congress who approved an extra $650 million funding increase for CISA as part of the American Rescue Plan Act passed earlier this year.

At a hearing today of the Senate Homeland Security and Governmental Affairs Committee, Federal CISOs explained that the CDM program is not easy to implement, but that its benefits are well worth the investment. And CISA’s acting director endorsed the program as a key element of the government’s network protection strategy.

Responding to a query from Sen. Maggie Hassan, D-N.H., CISA Acting Director Brandon Wales said the program will continue to be an “integral part” of how the agency goes about securing Federal civilian networks.  Sen. Hassan, along with Sen. John Cornyn, R-Texas, sponsored legislation in 2019 that would codify the program into Federal law, and also make cybersecurity resources available to state and local governments.

Asked by Sen. Hassan about the CDM program’s benefits and challenges at the agency level, Department of Health and Human Services (HHS) CISO Janet Vogel replied that CDM implementation has been “quite a challenge … because it is a huge effort” to undertake at large, federated agencies like HHS.

HHS, for instance, has more than 83,000 direct employees and almost as many contract workers and operates several big component agencies including the Centers for Disease Control and Prevention, Food and Drug Administration, National Institutes of Health, and Centers for Medicare & Medicaid Services.

In implementing the CDM program across the entire agency and its operating divisions, Vogel said many networks are in varying states of modernization which requires changes in network hardware and software. “It is a very, very complex activity,” she said.

But the payoff for that work is evident. “We have found that what it provides really helps us as a department,” Vogel said. “We are getting information in a more timely way,” which means “if we can see [problems] faster, we can respond faster” to security concerns, she said.

“We are very encouraged by the success of CDM so far and we are looking forward” to expanding on those efforts to help manage cybersecurity risk at the agency, she said.

Ryan Higgins, CISO at the Commerce Department, broadly seconded those sentiments.

He talked about “integration and duplication” challenges at Commerce – which also has numerous component offices – associated with implementing CDM, but said the program has been “a huge success for us.”

“We look very much forward to continuing CDM integration across the department,” Higgins said.

Both CISOs also gave enthusiastic endorsements to remarks from committee members indicating that the extra funding approved for CISA by Congress earlier this year can help fund increased deployments of endpoint detection and response tools.

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.