Following a review of the U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, the Government Accountability Office (GAO) identified in a Wednesday report that while the program has met two of its goals, it lacks sufficient guidance for managing network security and data protection. The program generally supports government-wide cybersecurity initiatives, but DHS’s Cybersecurity and Infrastructure Security Agency (CISA) hasn’t finalized all plans for how the CDM program can provide support.
For example, GAO noted that the CISA hasn’t fully updated the program’s cloud asset management guidance.
Based on its findings, the GAO is recommending that DHS and CISA issue guidance on implementing network security and data protection capabilities, address data quality concerns, deploy an endpoint solution, and update guidance on cloud asset management. DHS, speaking on behalf of CISA, agreed with the recommendations.
The DHS set up the CDM program in 2012 to strengthen the cybersecurity of government networks and systems. Its goals were to reduce exposure to insecure configurations or known vulnerabilities; improve federal cybersecurity response capabilities; increase visibility into the federal cybersecurity posture; and streamline Federal Information Security Modernization Act of 2014 (FISMA) reporting. The CISA manages these goals across four capability areas.
CDM has met two goals. First, it is reducing exposure to insecure configurations and known vulnerabilities, as 22 of 23 agencies reported that the program was helpful in accomplishing this. CDM is also meeting its incident response capability goal. The program, however, has been less successful in meeting the other two goals. Although CISA developed dashboards to visualize and provide insight to the federal cybersecurity posture and the associated capability areas noted above, officials from 21 of 23 agencies stated that they had not yet fully implemented network security and data protection capabilities. Several agencies cited a lack of guidance as contributing to the slow implementation.
Also, while officials from four agencies stated that CDM helped to automate FISMA reporting, officials from seven other agencies said that data quality issues were adversely affecting efforts to streamline reporting leading to manual updates to correct data errors.
Regarding supporting other initiatives, the Office of Management and Budget (OMB) established expectations that CDM would support federal cybersecurity efforts on zero trust architecture, endpoint detection and response, and cloud asset management. CDM has generally met expectations for the zero trust architecture program. However, CISA had not finalized key activities to support endpoint detection and cloud asset management. CISA’s actions to implement an endpoint solution for all agencies and issue updated guidance on cloud asset management would improve the cybersecurity posture of federal agencies.
In 2023, CISA published an update to its set of functional requirements to govern the CDM program in its CDM Technical Capabilities Volume 2, version 2.5. This document is intended to be an engineering baseline, provided to agencies and CDM integrators, for use during CDM solution development within contract activities. Integrators are to use the functional requirements to develop a full set of system-level requirements, inclusive of additional deployment considerations such as agency needs, policies, and/or environmental constraints.
Additionally, the OMB incorporated CDM into government-wide guidance on FISMA reporting and cybersecurity. For example, according to the ‘Guidance on Federal Information Security and Privacy Management Requirements,’ agencies are to report at least 90 percent of government-furnished equipment through the CDM program. Agencies must continue to provide data on assets in an automated manner to the maximum extent feasible.
As part of the Federal Zero Trust Strategy, agencies must create reliable asset inventories through participation in the CDM program. In addition, CISA will design the CDM program to better support a cloud-oriented federal architecture. Also, under the ‘Guidance on Endpoint Detection and Response (EDR),’ within 90 days of publication of the guidance, agencies were to provide CISA access to current enterprise EDR deployments or engage with CISA to identify future state options. Further, CISA was to develop a process for continuous performance monitoring to help agencies ensure that EDR solutions are deployed and operate in a manner that will detect and respond to common threats.
The GAO recognizes that the CDM has partially met the goal of enhancing cybersecurity visibility. CISA developed a dashboard for use by participating agencies intended to consolidate and visualize information collected from CDM tools. The program also developed a federal dashboard, which enables CISA and OMB to see a government-wide view of agency cybersecurity information as collected through the program. The dashboards are intended to visualize information from each of the capability areas, providing insight into the cybersecurity posture associated with assets, users, networks, and data.
However, officials from 21 of the 23 civilian CFO Act agencies stated that they had not fully implemented capabilities within the network security management and data protection management areas. According to officials from several agencies, they are awaiting additional guidance from CISA regarding these capabilities.
Agencies identified additional opportunities to improve the CDM program, and CISA is working to address them. These include enhancing the procurement model. Selected agencies shared several opportunities to improve the procurement model, such as aligning license renewal dates with government funding cycles, negotiating pricing on behalf of all agencies, and enhancing visibility into the procurement process.
CISA has acknowledged that the existing primary funding model can at times present challenges for capability implementation and sustainment and intends to revamp the model through a new program known as Strategic Cybersecurity Acquisition & Buying Services, which officials stated will expand CISA’s buying power and centralize IT procurements. However, CISA officials noted that the program is mindful of both up-front and long-term costs and takes these into account during its procurement process. Further, the officials stated that CISA involves participating agencies in acquisition discussions to aid in visibility.
Agencies also suggest implementing artificial intelligence (AI) tools. Selected agencies were interested in leveraging AI to, for example, improve threat prediction capabilities. According to CISA officials, the agency is exploring ways in which AI can be strategically and responsibly incorporated into CDM. They added that the program plans to pilot an AI solution with an agency participating in the program in the second quarter of FY 2025.
Furthermore, they recommend adding additional features to the CDM dashboards. Selected agencies stated that they were interested in adding additional features to the agency dashboard, such as custom visualizations and additional data sources. CISA officials stated that the PMO has continually sought solutions to provide maximum flexibility for agencies regarding data types and sources that can be integrated into CDM.
In addition, CISA officials stated that the agency had periodically updated the CDM dashboard to make it more operationally relevant to agencies, and to allow agencies to implement custom data fields and visualizations, in keeping up with evolving federal priorities.
The GAO has issued four recommendations to the Department of Homeland Security to strengthen the CDM program. It recommends that the Secretary of Homeland Security direct the CISA director to issue guidance to support agencies in implementing network security and data protection capabilities. It also calls for the development of clear milestones to address data quality issues on an ongoing basis.
Additionally, the director should work with the 23 civilian Chief Financial Officers Act agencies to ensure that those willing are onboarded to the Persistent Access Capability. Lastly, the GAO urges an update to CISA’s cloud asset management strategy to specify required resources, distribute the strategy to agencies, and ensure its implementation.
