Matt House, who was named program manager of the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program last week, sketched out some principles in the program’s path forward today at FCW’s CDM summit event.
CISA announced the new program manager appointment last week. House will take over as head of the program from Richard Grabowski, who has been acting program manager for the past 18 months. He will remain as the program’s deputy manager, with a focus on engineering.
House joins the CDM program from Microsoft Corp., where he worked for most of 2022. Prior to that, he was vice president-technology solutions at EGlobalTech from 2018 to 2021, and for 12 years previously held positions at InfoReliance.
While at the latter firm, House supported “government-wide efforts with the Department of Homeland Security (DHS) to strengthen and enhance federal civilian agency cybersecurity postures, including the CDM dashboard implementation and EINSTEIN,” CISA said. His background also includes management of large tech teams, adoption of cloud capabilities for government agencies, and managing programs exceeding $100 million.
“I’ve spent the better part of the last two decades working in support of the Federal government, primarily on the systems integrator side of the house, and have been very fortunate to support some great programs and some great agencies throughout the entire Federal government,” including early work from 2014 to 2018 on the first iteration of the CDM dashboard, House said today at the FCW event.
House said today that his new job “feels like I’m coming home, and I’m super excited about where we want to go.”
“I’m firmly in the drinking-from-a-firehose portion of my onboarding in this role,” House joked, and said, “we’ll be formulating a coherent, updated view of where we want to take the program over the next few months.”
Until a more detailed plan emerges, House said “my priorities for the program are to continue the great things that the team has accomplished … and in particular what’s been accomplished over the last 18 months.”
“This includes continuing to operationalize our investments in CDM … giving value and driving visibility for agencies to continue to enhance their ability to combat cyber threats,” along with addressing emerging requirements, House said. “I think the only constant is change, especially in this program.”
House made clear that he wants to sustain CDM program momentum generated in particular by the White House’s cybersecurity executive order and subsequent directives from the Office of Management and Budget (OMB) and CISA for agencies to rapidly move to zero trust security architectures.
A key part of those efforts involves installing endpoint detection and response (EDR) capabilities on agency networks – matching one of the foundational elements of the CDM program’s goals – and bolstering identity management capabilities.
He also said that continuing to nurture relationships created with agencies, OMB, and within CISA over the first ten years of the CDM program will be a key goal going forward and that he wants “to make sure that those relationships continue to yield the fruit of enhanced security posture as well as actionable and meaningful feedback.”
Growing those relationships, he said, feeds back into key program objectives. “It’s demonstrating and then continuing to enhance and respond back to the feedback we’re getting from the agencies on how they can they can leverage CDM, what they need, how they’re using the tools, how we can continue to tweak them,” he said.
“It’s driving EDR, which as you know we’ve made tremendous strides thanks to the team over the past 18 months,” House said, adding, “and driving zero trust, adaption and defining helping to define what that is and being one of the major water carriers on that effort.”
Another key objective, House said, is “being ready for the unknown,” which could include emerging requirements, requirements from new Federal policy and legislation, and developments that are driven operationally and geopolitically.
Asked about the CDM program’s ability to help agencies comply with CISA’s binding operational directive (BOD) issued earlier this month that sets baseline requirements for Federal civilian agencies to identify assets and vulnerabilities on their networks, and to provide data to CISA on those assets and on vulnerability detection, House said that the BOD and the CDM program “are really on the same page.”
He continued, “we want to see those standards, we want to raise all boats, that level of cyber hygiene for continuous monitoring, and so the BOD and CDM are really on the same page … we have mutually agreeable objectives there.”