It's Crunch Time for Homeland Security's Continuous Monitoring Program


To aggressively move forward and to defend critical infrastructure, we must first acknowledge the hurdles that stand before us. 

By the end of fiscal 2021, it was proposed that agencies must certify to the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency that they have implemented the Continuous Diagnostics and Mitigation (CDM) Program Data Quality Management Plan. While that date is likely to be pushed back, progress is happening. Breaches of the past have revealed some very concerning gaps in federal cybersecurity—both in relation to identity and access management and asset management—which were truly the impetus to force positive change.  

There is a huge movement right now for stronger federal security measures. The government and OMB are elevating the importance of agency security and the implementation of new tools. The industry is transforming how we look at compliance, and the pandemic-driven remote work environment has pushed us to adapt faster. 

To further propel the initiatives, there is a lot of money coming from President Joe Biden and his administration. Agencies will need to prioritize their needs and then move quickly to get these needs fulfilled or run the risk of losing financial support. 

Regardless, we’re in crunch time. To aggressively move forward and to defend critical infrastructure against the threats that the CDM Program set out to address, we must first acknowledge the hurdles that stand before us. 

Disparate Systems and Siloed Data

First and foremost, the intrinsic culture of the federal world is not conducive to a CDM rollout. Various groups manage information—IT management, enterprise cyber operations, and law enforcement groups for every agency. Each uses different tools, which leads to disparate systems and siloed information. As a former federal guy, I get it. I understand the reluctance of giving up something you’ve invested months or years in building. But to achieve the “completeness” of data management mandated by CDM, we need to move away from the silos. 

Comfort with Manual Processes

There’s a natural sense of comfort with the tools and technologies that agencies have deployed and used for years. And too often, they will continue choosing manual processes over automation and put compliance at risk. If our experience with breaches has taught us anything, it’s that we need to be proactive; we need to stay one step ahead. Past incidents have not only put national security in jeopardy but cost the government billions of dollars. There's too much at stake not to take action now.    

Increasing Complexity in Hybrid and Remote Work Environments

During the pandemic, the federal government increased its percentage of employees approved for telework from roughly 20% to 75%. That’s more than one million employees—and about two million devices—that went from operating in a controlled, protected environment to working at home on personal networks, handling a variety of important government data. Many even purchased new devices to ensure operational continuity.

As these employees return to the office—full-time or hybrid—many new challenges are presented. Security teams will need to quickly establish what devices and software are running on government networks versus personal networks, or both, and ensure these devices meet security and compliance standards. In addition, possible safety precautions, such as temperature checks, will introduce new devices and health data into agencies, which will require them to adhere to HIPAA regulations. 

Bring-your-own-device efforts and the constantly changing nature of hybrid work only escalate the need for CDM. Maintaining a comprehensive asset inventory will be key to closing security gaps as new devices are introduced upon return and maintaining security and compliance for flexible and remote work. Security teams can also look to advisory bodies for recommendations.

Both CISA and NIST have released or plan to release updated guidance for telework, which will be beneficial resources to Federal security teams. Most important, cybersecurity teams must stay aligned with the agency’s leadership and mission to predict how they can support the agency through the upcoming changes while effectively navigating CDM guidelines.

The scars of past federal breaches have yet to heal, but fortunately, we’re learning that we can’t be static. It is clear that the new administration is prioritizing Federal security initiatives, giving agencies tremendous opportunities to improve their security posture. Those that embrace lessons learned will have an advantage during this year of transition. Overall, the future looks bright for compliance and cybersecurity. 

Bobby McLernon is vice president of federal at Axonius. He has served in various roles for over 30 years, including the United States Marine Corps, the United States Air Force, the Federal Bureau of Investigation, and the intelligence community at large.