- The Department of Homeland Security’s (DHS) federal cybersecurity program will greatly benefit from increased funding in Fiscal Year 2019, according to a trio of lawmakers.
Reps. John Ratcliffe (R-Texas), Jim Langevin (D-R.I.) and Will Hurd (R-Texas) wrote a letter to the House Appropriations Committee’s Subcommittee on Homeland Security, requesting $237 million to fund the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program.
“As you know, the CDM program provides dynamic cybersecurity capabilities to allow federal agencies to secure their networks, systems and data with the goal of strengthening federal cybersecurity posture for the .gov,” the lawmakers wrote. “Additionally, CDM expands the speed and scope of information sharing and motivates agencies to implement best practices across their enterprise.”
The CDM program is critical because it provides federal agencies with the ability to better assess potential cybersecurity vulnerabilities, the trio added. The cyber threat landscape is ever-evolving, and the nation must ensure its networks and systems are able to face those threats.
“In 2012, DHS launched the roll-out of a four-phase process that will allow CDM to eventually provide the American people the kind of federal cybersecurity that they deserve,” the lawmakers explained. “Right now, DHS is overseeing the process of identifying what systems are connected to the federal networks and who has access to those systems before shifting into the final phase, which will focus on the security of the data itself.”
The CDM program fulfills Federal Information Security Management Act (FISMA) mandates, according to the CDM website. Its automated control testing and progress tracking enhances government network security.
CDM is also consistent with the Office of Management and Budget (OMB) guidance and the National Institute of Standards and Technology (NIST) guidance.
“CDM offers industry-leading, commercial off-the-shelf (COST) tools to support technical modernization as threats change,” the website states. “To start, agency-installed sensors are deployed and perform an on-going, automated search for known cyber flaws. Results from the sensors feed into an agency dashboard that produces customized reports that alert network managers to their most critical cyber risks.”
Agencies are then able to allocate resources depending on the severity of the found risks. Tracked results can compare security postures among agency networks. The results are fed into a dashboard that will “inform and provide situational awareness into cybersecurity risk posture across the Federal Government.”
A March 2017 report from the Government Accountability Office (GAO) determined that DHS must continue its push for improved federal cybersecurity measures, which included the CDM program.
CDM can help resolve cybersecurity vulnerabilities and aid federal agencies in their fight against “pernicious threats.”
“These tools include sensors that perform automated scans or searches for known cyber vulnerabilities, the results of which can feed into a dashboard that alerts network managers and enables the agency to allocate resources based on the risk,” GAO wrote. “DHS, in partnership with and through the General Services Administration, established a government-wide acquisition vehicle for acquiring continuous diagnostics and mitigation capabilities and tools.”
GAO also stressed the key role DHS plays in strengthening the federal government’s cybersecurity posture. Federal agencies must continuously evolve their security measures to meet the increasingly sophisticated cyber attacks.
“Computer networks and systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown,” GAO said. “These systems are often interconnected with other internal and external systems and networks, including the Internet, thereby increasing the number of avenues of attack and expanding their attack surface.”
Agencies have struggled in certain areas, such as properly identifying cyber threats to agency systems and information and with implementing sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices.
“Federal agencies we have reviewed often do not test or evaluate their information security controls in a comprehensive manner,” the report explained. “The agency evaluations we reviewed were sometimes based on interviews and document reviews (rather than in depth security evaluations), were limited in scope, and did not identify many of the security vulnerabilities that our examinations identified.”