CISA's CDM program gears up for a new era in cyber defense

MASTER/Getty Images

How a cornerstone cybersecurity program has evolved from information collection to active defense.

The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics and Mitigation program in recent years to disrupt major cyberattacks and improve overall cybersecurity across the federal government, but officials now say it's time for the initiative to expand to continue combatting emerging threats. 

The CDM program has been credited with mitigating recent cyber incidents, including the MOVEit mass exploit earlier this year that impacted both on-premise and cloud-based versions of a popular file transfer service used by multiple federal agencies. 

With more than $400 million included in the Biden administration's fiscal 2024 budget request for the CDM program, the nation’s cyber defense agency has indicated that it wants to launch a "new era" of CDM largely focusing on advanced, proactive cyber defense operations. 

“I hope as CDM goes forward, there’ll be a focus more broadly on access management,” Ross Foard, a senior engineer for CISA's cybersecurity division, said on Wednesday at an event hosted by the nonprofit AFCEA. 

Foard said his team is currently exploring methods to categorize various types of credentials that the CDM program can help manage in cloud environments as part of a broader effort to ensure agencies are complying with the Federal Information Security Modernization Act and other federal information security requirements.

“We’re not well positioned for that right now,” he acknowledged, noting how the CDM program has traditionally focused on mitigating vulnerabilities within legacy environments. 

CDM can be used to identify and prevent unauthorized access to information technology systems, as well as assist in managing user credentials and ensure secure authentication methods are used to access federal networks. CISA also launched a federal dashboard that automatically collects data from agency-specific CDM dashboards and provides real-time insights that can be used to assist in incident response efforts. 

When the Department of Homeland Security's CDM program first launched in 2012, agencies lacked automated methods to share information about the devices and software operating in their networks. DHS was focused largely on standardizing cybersecurity capabilities across government and cybersecurity was one of many duties of CISA's predecessor agency, the National Protection and Programs Directorate

Rosa Smothers, a former CIA cyber threat analyst and executive at the cybersecurity firm KnowBe4, described the CDM program as “a series of defense capabilities” that DHS implemented in response to the National Institute of Standards and Technology’s Information Security Continuous Monitoring guidelines published in September 2011. 

"The NIST concept is to ensure consistent monitoring capabilities with proactive data validity,” Smothers told Nextgov/FCW, describing the CDM program as another layer of federally required cybersecurity measures “to ensure agencies have the tools to assess and address risks on their networks.”

By the spring 2023, all 24 Chief Financial Officer Act agencies were sharing continuous insights with CISA about their operating environments, providing enhanced, government-wide visibility. 

The program's milestones can be attributed in part to the Biden administration’s 2021 cybersecurity executive order and other White House efforts to reduce vulnerabilities across the federal enterprise, according to a recent blog post published by Michael Duffy, CISA's associate director for capacity building. 

"The capabilities of CDM today are in stark contrast to those of just a few years ago," Duffy wrote. "CDM is no longer a static effort to standardize agency capabilities and collect cybersecurity information, but rather the U.S. government’s cornerstone for proactive, coordinated and agile cyber defense of the federal enterprise."