OMB to agencies: CDM success is on you

Mick Mulvaney, the president's budget director, wants agencies to do a better job making the Continuous Diagnostics and Mitigation program work.

The division of responsibility, with CDM's program management office at the Department of Homeland Security and the contracts team at the General Services Administration on one side, and the agency customers on the other, has long been a subject of dispute.

In an Oct. 25 memo, Mulvaney, the director of the Office of Management and Budget, lays down the law, saying, "agencies are solely responsible for the state of their cybersecurity posture and must work closely with DHS in order to accomplish CDM program goals at the agency level."

The memo instructs agencies that they are responsible for setting up information sharing capabilities to connect to the federal dashboard established by DHS. They are also expected to be accountable for any security problems identified. If agencies want to buy or implement continuous monitoring capabilities outside of those offered through CDM DEFEND, the latest task order contract vehicle, they must first justify the decision to the program office, OMB and the federal CIO.

Trevor Rudolph, vice president of digital policy at Schneider Electric and former chief of the cyber and national security unit at OMB, told FCW that interagency disputes like those dogging CDM don't get settled without OMB weighing in.

"Agencies wanted flexibility, they wanted choice and what you're seeing here is OMB trying to say 'ok, we get all of those things and we want you to have [that], but you should still be reporting to DHS, up to the federal dashboard, and so let's at least agree on some data elements to do that,'" said Rudolph.

The new guidance reinforces efforts by policymakers in Congress and OMB over the past year designed to resolve some long-running disputes between DHS and agency partners.

"During hearings and roundtables on the program, we often heard from government stakeholders that internal dynamics at DHS's sister agencies were actually the biggest obstacle to the program's success," Rep. Jim Langevin (D-R.I.) said in September.

At a roundtable hosted by FCW in May, a high-ranking agency executive responsible for implementing CDM took issue with the idea of being judged by the quality of the data they're submitting to the federal dashboard, an expectation that Mulvaney's memo makes explicit.

Such judgment is unfair, the executive argued, because it has not always been clear in the past what kind of data DHS wants and different vendors bring different reporting capabilities.

"During Phase 1, there wasn't consistent information sharing, and when you have different integrators, that's going to be natural and that's obviously where DHS has to step in," the executive said during the not-for-individual-attribution discussion. "If we're trying to have apples-to-apples comparisons among agencies and everybody's doing it differently, we're just not going to be there."

Under the new guidance issued by OMB, more specific technical guidance around the data expected from agencies will be pushed out to agencies and updated on an annual basis.

The first two rounds of CDM were marred by a range of agency complaints about the program, from not having enough input on integrators and procurement decisions to a series of communications failures that failed to convey how complex implementation would be.

The CDM program office has since taken steps to address both of those complaints, establishing an advisory board so that agencies could have a say on acquisition strategy and rolling out CDM DEFEND, which gives agencies more latitude to select tools that match their IT environment.

At the FCW roundtable, a program manager said that it was a good idea to give agencies choices, but data standards for reporting were essential for oversight.

"We at DHS and GSA don't want to be selecting these integrator solutions," said a DHS official. "We want the agencies to be selecting them. At the end of the day, we need to make sure we’re in alignment with what headquarters wants to do, but we also want to make sure that we’re accurately reflecting the requirements down at the mission level."

Rudolph said there is plenty of blame to go around for the current state of CDM. The program has had some wins, but overall it has not met the expectations originally envisioned by its creators, he said.

"It comes down to situational awareness," Rudolph said. "We need to get back to the bread and butter of that original objective and try to achieve some small success before building this massive behemoth."

The House of Representatives passed a bill to codify CDM and impose new reporting requirements around the program. Some of those involved in crafting the bill have framed it as a signal to agencies that CDM is not going away and that Congress intends to treat compliance as a priority.

"That's the kind of thing we want to get into law so that folks can say 'I have to do this, this is the kind of thing Congress is going to ask me about,'" a congressional staffer told FCW in May.

Rudolph, however, said legislatively mandating CDM as opposed to the capabilities it seeks to instill could be unwise over the long haul.

"It's well intended," he said, "but if you don't know that the program works, don't enshrine it into law."