DHS faces setbacks implementing CDM, watchdog says

The Department of Homeland Security has failed to address critical vulnerabilities across information technology assets due to significant delays in the department's rollout of a federal Continuous Diagnostics and Mitigation program.

Image: Casimiro PT / Shutterstock

Setbacks and multiple delays have hampered the Department of Homeland Security in its efforts to build and implement a Continuous Diagnostics and Mitigation (CDM) program, according to an audit conducted by the department's inspector general.

The IG report published last week identified vulnerabilities which it said left the department vulnerable to cybersecurity attacks after DHS failed to clearly define patch management responsibilities and implement required configuration settings.

DHS spent $180 million between 2013 and 2020 to design and build a CDM program, yet the report found the department had "not yet strengthened its cybersecurity posture" by implementing a department-wide continuous monitoring solution. The audit was conducted between August 2019 and August 2020.

Led by the Cybersecurity and Infrastructure Security Agency, DHS launched the CDM program in 2013 to fulfill the Office of Management and Budget's routine information management security risk requirements. The goal of the program is to reduce threats and improve cybersecurity capabilities while streamlining reporting and increasing visibility into the federal cybersecurity posture, according to CISA.

Abandoned approaches to the project led to missed deadlines in 2017 and 2018, by which point the department had spent $38 million to design an initial dashboard which the report noted "crashed shortly after deployment." The cause of the crash was undetermined.

"As of March 2020, DHS had developed an internal CDM dashboard, but reported less than half of the required asset management data. Efforts were still underway to automate and integrate the data collection process among components so DHS could report additional data, as required" the report said. "DHS now needs to upgrade its dashboard to ensure sufficient processing capacity for component data. Until these capabilities are complete, the Department cannot leverage intended benefits of the dashboard to manage, prioritize, and respond to cyber risks in real time."

The report stated that, by the time the audit fieldwork had been completed, DHS was making progress in implementing the CDM program. In total, the report found eight high-risk and three critical vulnerabilities across 51 DHS assets. The inspector general's office made three recommendations, which include updating the CDM program plan to outline how a current model of the dashboard can transition to a scalable platform. The recommendations also call on the chief information security officer to mitigate the risks identified in the audit, as well as define patch management responsibilities for CDM IT assets.

In comments responding to the report, DHS took issue with the statements suggesting the department had "not yet strengthened its cybersecurity posture" and "wasted'' $38 million in initial efforts to build the program. The department acknowledged "initial challenges" in designing its CDM solution, however, and said it "remains committed to building on its CDM program successes, while also exercising sound business judgement, obtaining the best value for the government, and incorporating lessons learned where appropriate."