CDM Roadtest

CDM is all about numbers – $6 billion, 17 primes, legions of subcontractors, and one big question. Is the shiny new program making Uncle Sam’s cyber security safer? This’ll be a focal point of the Cyber Security Brainstorm on June 18 at the Newseum. More than 250 Fed cyber security execs have registered – so space is tight. But back to the question – how’s CDM doing? Are the customers satisfied?

Under the Hood

Only one way to find out – take a peek under the hood. So, MeriTalk’s Cyber Security Exchange asked Fed cyber security execs in the agencies if CDM’s a Lamborghini or a lemon? We put the analysis wrenches down – and rolled out the CDM: Under the Hood study on Monday.

Good First Lap

DHS tells us that agencies burned rubber to meet OMB’s CDM deadlines. More than 96 percent of agencies met the April 30 deadline to identify a CDM manager in their agency. More than 87 percent met the May 30 deadline to deploy products to support the new security management approach.

Find the Accelerator, Please

Quizzed about roll out and task order processing timing, 58 percent of Feds want to accelerate program phase roll out. Fifty-one percent want phase one solutions task orders processed more quickly – flag for Jim Piche and his team at GSA. Providing recommendations on how frequently to refresh security assessment and discovery information, Feds want more real-time updates. Today, the plan for CDM is to provide updates to agencies every 72 hours. Ninety percent of Fed cyber execs want daily updates, and 56 percent want updates every hour. Thirty-two percent want real-time intelligence.

Risky Business

As the cyber security market shifts from compliance to risk management, CDM corners like it’s on rails and eats up the asphalt on the straightaway. Asked about the benefits CDM provides in their agencies, Feds revved their engines. Fifty-six percent say CDM reduces operational risk. Fifty-five percent point to enhanced risk prioritization – allowing cyber security pros to get to the worst issues first. Fifty-four percent point to quicker risk mitigation times – and 51 percent say CDM reduces time spent on paperwork.

FISMA Fork in the Road

Speaking of paperwork, it’s impossible to put CDM on the lift without road testing it against FISMA. I asked OMB about CDM and FISMA – do agencies still need to pay for FISMA if they’re doing CDM? OMB clearly said yes. “Yes. FISMA is the law.” The study provides interesting insight on the relationship between cyber security’s favorite acronyms – LOL. The net up front – FISMA’s far from RIP. Only 13 percent of Fed cyber execs consider FISMA OBE – saying that they have enough data to do away with FISMA. Fifty percent say they need FISMA today until CDM produces more data. Twenty percent say CDM will never replace FISMA. Interestingly, 17 percent are unsure.

Fed cyber security leads tell us they spend 25 percent of their cyber security budgets on FISMA compliance. Chipping in on future plans for FISMA reporting provides important insight on how CDM and FISMA can run together. Thirty-six percent plan to automate FISMA monthly reporting. Forty-two percent plan to swap out the automated dashboard for today’s quarterly/annual reports. Disappointingly, 24 percent have no plans whatsoever to change their reporting behavior.

Real takeaway, NIST and DHS need to get together to tell one story. How do these programs fit together –and what’s the roadmap for the future? And, speaking of confusion, or perhaps insecurity, the Federal cyber security initiatives need a branding makeover. How will the government achieve clarity if it keeps coming up with new terms?

Analytic Converter

Seems cyber execs like their new Streufert speedster. Looking down the road, Feds point to training, budget, legacy integration, technical complexity, culture, acquisition, and leadership supports as major speed bumps to accelerating CDM – check out the study for the stats. What do they need to pimp their CDM ride? Fifty-eight percent of Feds want more analytic capabilities. Next on the grid are critical application resilience, common trusted identities, automated tools, and enhanced RoI metrics – again, check out the study for stats.

So, there you have it, the numbers on CDM. If you’re interested in the voice track, we’ll look forward to meeting you in the pits at the Cyber Security Brainstorm at the Newseum on June 18. John Streufert’s in pole position on the CDM panel.

Steve O'Keeffe
About Steve O'Keeffe
The most connected executive in the government technology community – O'Keeffe is an accomplished entrepreneur and tech-policy expert, with 30 years’ experience as an innovator at the crossroads of government and industry. He founded MeriTalk, O'Keeffe & Company, 300Brand, among other entities. O'Keeffe is a fixture on the Hill, in both the House and Senate, testifying on IT, budget, government workforce, and the requirement to modernize government IT to enhance outcomes for the American people and government employees. He is a champion for change, simplification, transparency, and clear communication of IT value without jargon. A committed philanthropist, O'Keeffe has served for 15 years on the USO-Metro Board of Directors – Vice Chairman of the Board and Chair of the Annual Awards Dinner. He started his career as a journalist – O'Keeffe has contributed to The Economist, Government Executive, Signal Magazine, The Washington Post, and, of course, MeriTalk.