The Homeland Security Department’s Continuous Diagnostics and Mitigation (CDM) program, intended to give agencies the tools to identify, prioritize and mitigate cybersecurity risks, is a success. CDM Phase 3 builds upon Phases 1 & 2 by providing much greater flexibility. Federal agencies are using CDM Phase 3 to not only acquire products, but services and assessments to help improve their security posture.
Phase 3, unlike Phases 1 & 2, does not prescribe specific technologies. This flexibility gives agencies the opportunity to determine the most appropriate solutions and services to meet their specific environment. CDM Phase 3 is now enabling agencies to fill the existing capability gaps that will provide the critical visibility into “What’s happening on the network.”
As agencies move forward to adopt CDM Phase 3, maximizing the potential value of this phase will depend on considering present needs and objectives for the future, while informing decisions through past lessons learned.
Keeping the Future in Mind
The concept of meeting the objectives of today, while keeping the future in mind is captured in a quote by retired General Peter Pace, “Today's tactical victory does not guarantee tomorrow's strategic success.” Applying this perspective to CDM, agencies need to optimize not only for today, but also determine how these decisions will facilitate, or hinder, the ongoing evolution of their cyber program. For example, if an agency plans to acquire a new technology and is considering multiple alternative products, understanding how each alternative integrates with other cyber tools will have a big impact on the agency’s ultimate ability to automate repetitive cyber processes.
Learning from the Past
When considering lessons learned in the past, an axiom from Chinese philosopher Sun Tzu, “Know thy self, know thy enemy. A thousand battles, a thousand victories,” also provides agencies with appropriate guidance. As outlined in the May 2018 OMB report, the inability to understand threat actor techniques, tools, and procedures impacts an agency’s ability to effectively utilize their scarce cyber resources and ensure that optimized processes and procedures are consistently implemented and followed, dramatically effecting enterprise cyber risk.
The CDM Phase 3 Incident Response Automation component requires the aggregation of threat intelligence data to facilitate intelligent decision making. Through the DHS Shared Cybersecurity Services Program (SCSP), agencies have access to comprehensive threat intelligence data; the challenge becomes turning this into actionable information. Forward-thinking agencies are utilizing the Request for Service (RFS) process to:
- Identify specific threat actors that are targeting the agency to understand their motivations and interests as they pertain to agency High Value Assets (HVAs).
- Simulate actual attacks via periodic Red Teaming exercises to measure the agency’s ability to defend against these specific adversaries.
- Analyze the results and optimize both processes and personnel gaps.
- Make this process a regular part of the agency process as required by CDM Phase 3 OMI (Operate, Monitor, Improve) requirements.
Addressing the People and the Processes
While the obvious lesson is that continuous training is essential to combat the evolving nation-state adversaries attacking the Federal Government, the less obvious lesson is that new capabilities often drive changes in the way operations are conducted. Jim Quinn, Lead CDM Systems Engineer summarized this best when he said: “We underestimated the inertia. You can put the technologies in, but you've got to address the people and the processes.”
It’s straight forward to improve each agency’s risk posture by gaining a better understanding of the attacker, improving cyber telemetry, data provenance, and optimizing cyber processes. However, most agencies will continue to struggle with recruiting, developing, and retaining the specialized talent. CDM Phase 3 provides agencies with the ability to address these challenges via task 4 (Expanded Agency Services) and task 5 (Incident Response Surge). Agencies should consider structuring their requirements in order to provide access to as-needed expert support. The flexibility to acquire critical capabilities via an on-demand mechanism will enable agencies to maintain the ability to both conduct effective daily operations, and surge during times of additional need.
The CDM Phase 3 abilities to deploy agency selected technology, acquire services to leverage new processes, as well as the ability to acquire expert skills on-demand are all working to transform agency cyber postures.