Looking forward to a more-flexible CDM

One of the early complaints about the Continuous Diagnostics and Mitigation program was that agencies didn't have enough say in how the work was executed, leading to mismatches between cybersecurity solutions and legacy computing environments.

Program leaders at the Department of Homeland Security attributed many of CDM's early stumbles to the structure the task order awards that matched agencies with integrators. Those General Services Administration-managed contracts are set to expire later this year and are being replaced by a new vehicle, CDM DEFEND, again administered by the GSA. At a May 23 FCW event on the CDM program, agency officials said the new structure will provide agency IT leaders with much more flexibility to implement the program on their terms.

Carlene Ileto, executive director for products and service delivery at the Department of Homeland Security, told FCW that feedback from agency IT leaders suggest that trust issues between DHS, agencies and contractors led to miscommunication and a failure to recognize how complex implementation was going to be during Phases 1 and 2, when agencies were given very limited influence.

"Many of our components have diverse computer environments that are very complex. [They’re] concerned about anyone impacting their mission which is understandable," said Ileto, who is responsible for coordinating CDM implementation across DHS' component agencies. Under the initial task order scheme, “a solution was provided without any true understanding of the computer environment and its complexity within DHS," she said.

"As a result, many of our [agencies] have shared concerns not only about the solution but the approval granted of a solution that does not work in their environments," she added. 

Gary Stevens, who served as the primary point of contact for CDM at the Department of Veterans Affairs, said it that it took time to get the right people in place.

"[B]ack in 2013, we probably did not have the right individuals engaged in CDM. It was a very small microcosm of personnel within the [Office of Information Security] that were working these tasks," said Stevens. "The lessons learned is that we were making some judgements that were not appropriate for the department that we have since rectified through more holistic and more integrated programs that we’ve put in place."

While the CDM program is often portrayed as being implemented more broadly at the department and agency levels, the reality is that much of the nitty-gritty work is done by a fragmented array of bureaus and offices. These are subject the ordinary ebb and flow of personnel, with many CIOs and others leading program implementation moving to new agencies and leaving their CDM plans to successors.

Kevin Cox, the CDM program manager at DHS, told FCW that the department has significantly restructured the way it conducts outreach to other stakeholders, establishing advisory boards that give agency leaders a say in contracting decisions, amplifying conventional and social media outreach efforts and setting up industry day events around CDM to coordinate with contractors.

"We're really working to follow the principle that if you want to get your message out, you need to communicate it seven times seven different ways," Cox said.

Customer agencies' early reviews have been positive. "One of the things I appreciate about the way DEFEND contracts are written is [that,] as opposed to that top-down, heavy approach we saw with the integrators primarily under Phase 1, the requirements are more clearly defined by the agencies and in large part by sub-agencies," another agency CDM lead, speaking on background, told FCW on May 23 . "This is about communication and when it comes to CDM, 90 percent of [the issue] is about communication," the official said.

While DHS is working to course correct to facilitate a smoother transition to Phases 3 and 4, everyone involved will apparently get plenty of bites of the apple.

Ileto indicated that DHS aims to continue building automation capabilities into the program after tackling boundary and data protection issues, noting that after Phase 4, "there will be a Phase 5, a Phase 6, a Phase 7 until eternity."