The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program is coming in at 30 percent under the expected cost, per the initial task orders for software tools.
“Departments were successful in negotiating down the price” from the initial General Services Administration (GSA) schedule price, said John Streufert, DHS’ director of Federal Network Resilience, at the Cybersecurity Innovation Forum this week in Baltimore, Md.
Streufert said the reduced pricing will lead to a budget avoidance of approximately $18 million. CDM creates economies of scale through “stair-step pricing,” meaning that the cost declines as agencies increase orders to vendors.
CDM is part of a government-wide effort to move from periodic checks of networks to continuous security. DHS and GSA last August announced the selection of 17 vendors eligible to sell products and services to interested federal agencies under a $6 billion blanket purchase agreement. The initial task orders were awarded on Jan. 15 for sensors that agencies can place throughout their networks to monitor and respond to malicious traffic.
Hewlett Packard [HPQ], Knowledge Consulting Group (KCG), Northrop Grumman [NOC] and Technica were the first awardees (Defense Daily, Jan. 16, 2014).
GSA, which administers the task orders, has not released what agencies the firms will be paired with. However, Streufert said DHS has written Memorandums of Agreement with 124 civilian agencies and 107 of those have committed to early engagement working groups.
While DHS is primarily responsible for the .gov domain, the Department of Defense and the Intelligence Community may also purchase products and services through CDM.
CDM originated out of the need to reduce the burden of manually compiling paper reports on cyber intrusions and protections required under OMB A-130–the Office of Management and Budget’s guidance on how agencies should manage and report to Congress on their information systems. The reports take three to nine months to prepare and become out of date as soon as they are printed.
“The ability to prioritize with these manual methods is limited,” Streufert said.
For civilian departments, Streufert estimates that agencies spend 65 percent of every dollar they are allocated for cyber security toward reporting. With CDM, that number will be reduced to 6 percent, opening up cybersecurity budgets to more sophisticated technology and harder defenses while meeting the requirements of OMB A-130.
CDM will also move the federal government away from the inadequate checks required under the Federal Information Security Management Act (FISMA). Established in 2002, FISMA requires “periodic assessments” of the network. Under CDM, checks will be at least every three days, Streufert said. When the program is up and running across the government, he said he expects 60-80 billion automated checks during every three-day period.
That amounts to the worst problems being identified in minutes versus days with fixes implemented in days versus years, Streufert said.
Streufert said three days was chosen as a benchmark so that checks are often enough to inform decisions but not too often that IT departments are unable to respond.
“Suppose you could find [an intrusion] every second, but is there a human to go fix it?” he said.
Information collected through CDM will also allow DHS to raise the cybersecurity status of a discovered vulnerability based on its frequency or impact on federal networks.
CDM is being rolled out in three phases. The fiscal year 2103 phase–currently in progress–focuses on endpoint integrity and managing the devices connecting to networks. The second phase for FY 2014 will look at overall infrastructure and managing user authentication. The third phase in FY 2015 will address boundary management, including a heavier emphasis on events throughout the network and remote access.
Next steps for CDM in the near term include finishing the patching process for known vulnerabilities, creating a subunit of the program aimed at Critical Application Resilience, instituting cloud security pilots for the civilian federal sector and assessing how CDM can support the National Institute of Technology and Standards’ (NIST) Cybersecurity Framework.
A competition for a dashboard, which will provide a portal for IT departments to organize and view network activity coming from the sensors, is underway. Awards for labor task orders to complement the software task orders in phase 1 are also upcoming.
DHS also plans to continue exploring how CDM can be used on the state and local level. Streufert said GSA cannot accept state money, but that states can purchase directly from the companies on the blanket purchase agreement. The lower price negotiated at the federal level can become the starting price for the states, he said. DHS also plans to release a series of resources, including YouTube videos, for interested parties outside of the federal government.
“We’re trying to develop once and use many as efficiently as we possibly can,” he said.