CDM: A Government Program Worth Emulating and Fully Funding

By Scott Montgomery
Thursday, December 22, 2016, 8:00 AM

The federal government isn’t often held up as a model for IT innovation and efficiency, but there are areas where they should be. An example of a policy directive that has paid dividends is the Continuous Diagnostics and Mitigation (CDM) program, whose aim is to give civilian government agencies a sensible, cost-effective way to upgrade their cybersecurity posture. CDM is available to other organizations as well—such as state, local, regional and tribal governments and the U.S. Department of Defense (DoD)— but the primary target is our civilian departments and agencies, many of which touch citizens. While CDM could have been rolled out more quickly, overall the program has been progressing. Until now.

The House Department of Homeland Security Appropriations bill (H.R. 5634) provides only about $172.8 million of the Administration’s almost $274.8 million appropriations request for CDM for fiscal year 2017. That’s a big ($100 million) hit at a time when government agencies need all the help they can get to address a decreasing cybersecurity labor market coupled with an increasingly dangerous cyber threat landscape. And CDM isn’t just any program; it’s a thoughtful, well-designed program that takes one of the best approaches to improving cybersecurity I’ve ever encountered. Here’s why full funding should be restored.

CDM, under the management of the Department of Homeland Security (DHS), provides an integrated way to assess, prioritize and manage cyber risk. If it sounds similar to the highly regarded NIST Cybersecurity Framework, that’s because it is. Both aim to manage risk through a logical process that involves creating an inventory of the hardware and software assets an organization already has, evaluating their effectiveness and interoperability, determining the areas of greatest risk and vulnerability, and then navigating them through a step-by-step implementation of the best available cybersecurity tools. As an incentive to participate in CDM, organizations that opt into the program get a deep discount on the tools, training and services.

Federal agencies have more than a financial incentive to take advantage of CDM, however. The program provides them the ability to ascertain their security risk posture at any given moment—something that occurs only sporadically, if at all, now. They can then prioritize what systems, infrastructures and data need protecting the most based upon mission risk. And there is a reason the name of the program was changed from “Continuous Monitoring” (used years before it emerged as a program) to “Continuous Diagnostics and Mitigation.” The tools available now go far beyond just monitoring, although that’s a part of what they do; they can also automate detection and response actions.

As DHS has evolved its CDM policy framework, it has asked agencies to implement Automated Defense Capabilities—integrated sets of tools and technologies that can automatically mitigate threats and risks according to local capabilities, authorities and mission needs. Sharing indicators of attack and other threat information will enable agencies to protect themselves before detecting the threat in their environment, and possibly before being targeted.

The big challenge with this objective is that the usual communication option between point defense products has been proprietary and brittle application programming interfaces (APIs). Most large organizations, government or commercial, have built their security architecture through a series of directives that have resulted in a motley collection of best-of-breed products from many companies. The 2015 (ISC)2 Global Information Security Workforce Survey calls this phenomenon tool “sprawl” and describes it as one of the largest challenges facing security efficiency. As threats have grown in volume and sophistication, the long implementation time and point-to-point nature of these interfaces cannot keep up. At the same time, going with a single-vendor solution for the benefits of tighter integration risks missing out on an important emerging security technology. Security architectures must undergo a significant evolution, actively supporting multi-vendor integration based on truly open standards-based messaging, to accelerate the move to collaborative security and get ahead of modern threats. The goal is broad plug-and-play interoperability among distributed elements from multiple vendors, enabling active command and control and ensuring better consistency and faster reactions.

The CDM policy directive points to something needed by both industry and government: a standards-based messaging broker so that global, local and third-party threat intelligence and organizational knowledge can come together to make smarter decisions. By sending contextual attack insights, or indicators of attack, to all detection, containment, and remediation systems, security analysts can gain a sustainable advantage against advanced targeted attacks. Fortunately, the cybersecurity industry and their government counterparts have been working on developing open interface security capabilities. Some real progress has been made. One example of this type of innovation is a near real-time, bidirectional communications fabric for security systems that is available and already incorporated into hundreds of products. It’s called DXL, or Data Exchange Layer, and it facilitates the sharing of relevant data among endpoint, network, and other IP-enabled security components.

The initial implementation of DXL was delivered to market by Intel Security over two years ago. After getting a great deal of input from government policymakers and our colleagues in the cybersecurity industry, we decided to open the DXL interfaces as our contribution to building a more robust public-private partnership dedicated to creating a community, or Public Private Partnership, of cybersecurity capabilities. While our strategy of Opening up our DXL interfaces reduces our short-term revenue opportunities, we hope that it will increase the overall demand for private sector cybersecurity solutions over the long run. This rising tide, we hope, will in turn raise all ships, including our own. DXL has now been accepted and adopted by a wide range of security vendors. And now this DXL communications fabric has been released as open source on GitHub to every developer, researcher, partner or competitor who wants to use it. OpenDXL allows each participant to enter into a unified ecosystem that gains value and capability as the network effect activates. The speed, volume, and adaptability of today’s cyber-attacks demand similar speed and adaptability on defense. As security components (sensors) share their analyses of samples instantly, organizations get an automatic upgrade to their enforcement capabilities. Security operations can identify indicators of attacks as they happen and get early warning of pending attacks through shared threat intelligence.

Through CDM, government agencies can be the beneficiaries of a more orchestrated approach to security—one that can stand up to any cyber defense plan in the private sector. The major cut the House bill has made to CDM funding does not just trim a run-of-the-mill program. CDM is and has the capability to be one of the leading cybersecurity initiatives in any sphere and civilian agencies need the resources necessary to continue to innovate and partner with the entire cybersecurity community to make programs such as CDM truly cutting-edge. The final appropriation for CDM for FY 17 should be no less than $246,632,000—as the Senate has recommended—or else the highest funding possible. Our civilian agencies—and the citizens who depend on them—deserve no less.


Editor’s note and disclosure: Intel is a generous financial supporter of Lawfare. This article, as with all articles, underwent Lawfare’s normal editorial process and review.