The Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program has made progress in meeting some of its key goals, but a new Government Accountability Office (GAO) report says the program lacks sufficient guidance for managing network security and data protection.
The CDM program provides Federal agencies with tools to monitor vulnerabilities and threats to their IT systems in near real-time.
The program also provides each agency with dashboard for tracking their cyber situational awareness data, which feeds into a Federal dashboard. The Federal dashboard allows CISA and the Office of Management and Budget to see a government-wide view of agency cybersecurity information.
GAO explained that the CDM program has four goals: reduce exposure to insecure configurations or known vulnerabilities; improve Federal cybersecurity response capabilities; increase visibility into the Federal cybersecurity posture; and streamline Federal Information Security Modernization Act of 2014 (FISMA) reporting.
“CDM has met two goals. First, it is reducing exposure to insecure configurations and known vulnerabilities – 22 of 23 agencies reported that the program was helpful in accomplishing this. CDM is also meeting its incident response capability goal,” the June 11 report says.
“The program, however, has been less successful in meeting the other two goals,” GAO said.
Although CISA developed dashboards for the program, GAO said that officials from 21 of 23 agencies said that they had not yet fully implemented network security and data protection capabilities. “Several agencies cited a lack of guidance as contributing to the slow implementation,” according to GAO.
The government watchdog agency said that officials from four agencies noted that CDM helped them to automate FISMA reporting. However, officials from seven other agencies said that “data quality issues were adversely affecting efforts to streamline reporting leading to manual updates to correct data errors.”
Additionally, GAO said that CISA has not finalized key activities to support endpoint detection and cloud asset management.
“CISA’s actions to implement an endpoint solution for all agencies and issue updated guidance on cloud asset management would improve the cybersecurity posture of federal agencies,” the report says.
GAO made four recommendations to the Department of Homeland Security and its CISA component: issue guidance on implementing network security and data protection capabilities; address data quality issues; implement an endpoint solution; and issue updated guidance on cloud asset management.
DHS, on behalf of CISA, concurred with all of the recommendations.