Making CDM work

The Continuous Diagnostics and Mitigation program at the Department of Homeland Security has retooled in recent task orders to give voice to complaints that agencies didn't have enough say in the acquisition and implementation process. FCW caught up with Jim Quinn, lead systems engineer for CDM, on the sidelines of a May 31 industry event to talk about how that learning curve played out in real time, from the program's inception to the present. This interview has been edited and condensed for clarity.

FCW: A recent report from the Office of Management and Budget found about three out of four federal agencies are at significant risk from cyber attackers. What does that level of risk across government say about the state of CDM now?

JQ: We underestimated the inertia. You can put the technologies in, but you've got to address the people and the processes. It turns out the flow from the department CIOs and CISOs is not a direct flow.

The Clinger-Cohen and Federal IT Acquisition Reform Acts addressed that problem, and CDM faces that same problem. It's just that ours is very obvious because unlike the other things  --which are sort of like management performance measurements -- ours turn out to be real dollar costs because if the integration takes longer, we actually have to pay for an integrator to be there longer.

Now you can buy in any of the six years, as is appropriate, so we're doing much more a sliding match, but that still does not remove the inertia. We're still expecting that we're going to have to do something so agencies can more effectively do the deployment.

Some of that is, we've now realized, instead of just dealing with the top, we're going to have to deal with some of the substructures.

FCW: How does that work?

JQ: If you look at DHS, in the original task order, we treated DHS as one unified entity. This time around, we're saying, 'No, it's not one unified entity. It's a complex organization.' We constructed things so that we can treat parts of DHS that are more advanced than others more quickly, and we're doing the same thing with other agencies.

We found out in other agencies, there's things they can do.… There were things in the Department of Energy that specially accommodates bringing National Labs on board, because we know that's different than having brought headquarters on board.  So we built a lot of tailoring mechanisms to be responsive for the ways organizations are different.

FCW: You pointed to Clinger-Cohen and FITARA as examples. What solutions would there be to reducing [cyber risk through CDM] at the agency level? Would it be legislation?

JQ: The reason this is a successful program is because the part that Congress did -- they centralized the funding. They made one organization responsible for the execution of that funding, so they didn't dilute it by doing grants. The hard part was that they actually held us accountable for not just providing the funding but doing the whole stream down. But it turned out kind of strange because we're accountable, but we don't have control.... So, we're trying to facilitate things, but we recognize the reality that says the government is very heterogeneous.

FCW: What would the next steps be? What's the timeline for agencies?

JQ: That's why we did six years. We're going to basically pick the worst problems in each agency, and we're going to be more focused about how we do things. We created within the new task order a "request for service," which looks at prioritizing the new activities and how the agency is planning to do this. Does the agency want to do it on their own? Do they want to do hybrid funding with us? Or do they want us to do it, us DHS, with our funding?

So, we've built in a lot of these mechanisms that [say] we'll do the level of engagement that it takes and the priority that fits your agency. And we'll see how that works. I mean, this is an experiment again, right?