DHS Cyber Monitoring Program Is Shedding Light on Agencies’ Shadow IT

The Homeland Security Department’s signature cybersecurity program is helping agencies discover scores of devices they didn’t know existed within their IT infrastructure, according to the program’s chief.

Launched in 2013, the Continuous Diagnostics and Mitigation program offers agencies a full suite of cyber tools, dashboards and services meant to give them a bird’s-eye view of their digital ecosystem. The program, run by the Cybersecurity and Infrastructure Security Agency, is meant to help officials better defend against cyberattacks by increasing visibility into the users, devices, systems and traffic across an agency’s network.

Already, the effort is helping the government shed light its shadow IT, the numerous devices that operate across agencies’ networks without oversight from their IT shops. 

When conducting audits of their digital ecosystems, agencies uncovered 75% more assets using automated tools provided through CDM than they did using traditional manual reporting, according to Program Manager Kevin Cox. In other words, before using CDM tools, agencies only knew about four of every seven devices that connected to their networks. 

“If you don’t know what all of your assets are, you can’t protect your network,” he said Thursday during a speech at the CDM Summit hosted by FCW. “You don’t understand what your attack surface is [or] what the adversary is attacking. So that [75% increase] is significant in terms of just getting better visibility for the agencies to know what they need to protect and where they have data.”

Today, all 23 CFO Act agencies and some 31 smaller agencies participate in the CDM, and dozens more are in the process of joining the program, Cox said. And after streamlining the approval process for industry tools and services, he added, the agency now offers more than 341,000 different cybersecurity products under the CDM program.

In the coming year, Cox said one of his team’s top priorities will be making it easier for agencies to put data collected under the CDM program to good use. That effort will entail “cleaning up” the information as it flows from network sensors to agency dashboards, as well as rolling out new tools to analyze and interpret the data.

Some 35 agencies are using an algorithm called AWARE—which stands for Agency-Wide Adaptive Risk Enumeration—to assess vulnerabilities in the IT and network configurations. Officials are still working out the kinks in the first version of the tool, Cox said, but it will ultimately help agencies better understand their cyber posture and make targeted improvements.

“It’s the first step toward getting a better risk management algorithm,” he said.

Cox and his team are also in the process of standing up an improved, cloud-based dashboard ecosystem that will make it easier to scale up CDM services across the government and incorporate new analytics, visualization and machine-learning tools, he said. The new platform is already up and running in the cloud, and CISA plans to begin piloting the tech with a handful of agencies in mid-2020. By the end of next year, Cox said he plans to have the platform deployed at all 23 CFO Act agencies.

“We’re really looking to operationalize CDM now,” Cox said. “It’s not just about getting tools out there, it’s about using the data that the tools produce.”