Learn more at carahsoft.com/innovation

INNOVATION IN GOVERNMENT

Traditional approaches to defending the network cannot keep up with the evolving cyber threat landscape. But new solutions are emerging.

4Evolution of Cyber Field

6Undermine Hacker Tricks

10Manage Compliance

14Rethink the Perimeter

12Become Service Aware

16One-on-One With DHS

2Fuel Cyber Advances

8Win Cyber Battles

BLAZING A NEW PATH TOCYBERSECURITY

2

INNOVATION FUELS CYBER ADVANCESNew technologies and strategies provide government agencies with new ways to defend their networks.

SPONSORED CONTENT

C Y B E R S E C U R I T Y

FOR GOVERNMENT AGENCIES looking to improve their cybersecurity, innovation is the order of the day.

It’s not just that today’s cyber threats are more sophisticated and numerous than ever before. It’s also that the IT environment has grown more complex,

as agencies have expanded their use of cloud, mobility, the Internet of Things and other solution areas.

This complexity, which creates a more extensive attack surface for bad actors, requires agencies to think in new ways about cybersecurity. Their existing tools might be sufficient for the intended purposes, but new tools, tactics and strategies are needed.

Fortunately, recent months have brought a surge in innovation, as agencies at all levels of government have explored new possibilities for strengthening their cyber posture. Here is a look at some of the hottest areas of activity.

The proposition seems simple: The more information that agencies have on cyber threats, the better prepared they will be to protect themselves. In practice, however, agencies often have struggled to implement the necessary policies, procedures and technologies needed to aggregate and analyze data from different sources. But that is beginning to change.

Los Angeles, for example, is launching an organization called CyberLabLA that eventually will facilitate the sharing of information among public and private sector organizations. Additionally, the city plans to build on that work by creating a Cyber Lab Innovation Incubator, which will include a simulated city network that can be used both to test new cyber defenses and to train cyber experts.

Michigan, on the other hand, is looking to take a longer view, trying to leverage its historical cyber threat data to become more effective at predicting emerging threats. The center will work with data generated by a wide variety of systems, such as firewalls, security appliances and intrusion detection systems, as well as data available through commercial services. The goal is to create models that, when applied to current cyber data, can point experts towards emerging threats.

Still, more work needs to be done on the policy front, experts say. A key concern is overcoming institutional barriers to information sharing between the public and private sectors and across different levels of government.

To be fully realized, the vision for digital government is built on trust—trust in the integrity of digital transactions. That is, how can a citizen or organization be sure that data has not been tampered with in the course of a transaction?

One promising solution is blockchain technology. Blockchain is generally described as a distributed, trusted ledger of transactions. Each step of a transaction is validated by a participating node, with each validation linked to previous validations, forming a chain. If the transaction is intercepted by an unauthorized party, the chain is broken—and everyone knows it.

Because the ledger travels with the transaction, it does not require centralized management—which makes blockchain more easily scalable than alternative approaches, such as public key infrastructure.

The National Association of State CIOs has flagged

Data Sharing and Analysis: Cyber Warning Systems

Blockchain: Foundation for Digital Government

33

SPONSORED CONTENT

blockchain as a promising solution. “As blockchain continues to evolve, state governments can start taking advantage of the technology to improve their services and supply chains through pilot programs,” according to a recent NASCIO report, “Blockchains: Moving Digital Government Forward in the States.”

A growing number of government agencies are exploring the possibilities. The Illinois Department of Innovation and Technology is working with state and local agencies to develop use cases for the technology. In a similar vein, the D.C. Blockchain Center is bringing together government agencies and industry experts around the nation’s capital to do similar work.

The U.S. Department of Homeland Security is also getting involved. The department’s Science and Technology Directorate is funding startups that could help address gaps in current blockchain solutions.

Indeed, despite the booming industry for security solutions, the federal government continues to play an important role in seeding the market with new technology or funding the work of entrepreneurial vendors.

For example, the Defense Advanced Research Projects Agency (DARPA) is focusing its energies on so-called social engineering attacks, which are designed to trick people into clicking on a link that downloads malware.

Government agencies often require employees to take training that includes a session on social engineering, but the results are decidedly mixed. Humans continue to be seen as the weakest link of any cyber strategy.

DARPA proposes using bots to detect a social engineering campaign and to identify and gather information about its source. “To build secure cyber systems, it is necessary to protect not only the computers and networks that make up these systems, but the humans as well,” the broad agency announcement states.

In some cases, the problem is not that cyber solutions don’t exist—it’s that they are difficult for many people to deploy. That is the case with some advanced crypto- graphic techniques.

With that in mind, the Intelligence Advanced Research Project Activity (a DARPA-like group for the intelligence community) hopes to create a cryptographic toolbox that systems architects and application developers can use even if they lack cryptographic expertise.

The program, called the Homomorphic Encryption Computing Techniques with Overhead Reduction, or HECTOR, likely will include cryptographic tools, programming languages and design and verification tools.

But in some cases, federal agencies take a more measured approach to driving the development of solutions. For example, the National Telecommunications and Information Administration (NTIA), which is part of the Commerce Department, is seeking industry partners interested in developing new strategies for dealing with automated distributed attacks from botnets and related technology.

For starters, NTIA wants to assess the effectiveness of current solutions—both in terms of what works and what gaps need to be filled. But the agency also wants to get feedback on what roles the government should play in filling those gaps. Its findings will be included in a report due by January 2018.

While innovation is critical to the future of cybersecurity, the WannaCry ransomware incident in May was a reminder about the importance of basic cyber hygiene.

The designers of WannaCry exploited known vulnerabilities in commercial software. According to U.S. intelligence officials, few U.S. government agencies were infected, thanks to their disciplined approach to managing software. In contrast, organizations that failed to apply patches or upgrade their software paid the price—literally.

Federal R&D: Botnets, Cryptography and More

Back to Basics

4

SPONSORED CONTENT

C Y B E R S E C U R I T Y

IN THE EARLY DAYS of the Internet, network defenders came up with a three-pronged approach to cybersecurity. It involved using a firewall, intrusion- detection system and antivirus software

to form overlapping concentric circles, so that if one tool failed, another could pick up the slack. However, as adversaries matured, they found ways to get around all of it.

To be successful, adversaries must reconnoiter a victim’s network for weaknesses, deliver a tool that exploits those weaknesses, and establish a beachhead on an endpoint—at which point they can extricate data. We realized that instead of overlapping concentric circles, we needed tools for every link in the chain.

Now small organizations have gone from three security tools to 15 or 20, while large organizations, including some government agencies and financial institutions, are dealing with more than 200 security tools. Unfortunately, agencies typically have the same number of people trying to manage all those tools that they had when they were struggling to handle three tools.

The traditional solution has been to throw more people at the problem, but we’ve reached the point where that doesn’t work anymore.

The Complex Role of Cloud The latest approach is automatic orchestration through a platform that brings together all those cybersecurity tools. The ideal solution sits behind your perimeter and on your endpoints and offers visibility into your data centers and cloud deployments. It also reduces the attack surface, prevents all known adversary attacks, discovers new ones quickly and converts them into known attacks so we can prevent them.

In the past five years, firewall vendors have been working on the next step in automatic

orchestration. It involves moving firewalls’ processing and enforcement activities up to the cloud, in part because the cloud gives vendors nearly infinite processing power and storage space.

Cloud technology naturally offers other benefits as well. Unfortunately, some government leaders think using a cloud service provider that has been certified under the Federal Risk and Authorization Management Program (FedRAMP) means they don’t have to worry about security anymore.

Service providers’ materials clearly say, “Security is a shared responsibility.” When cloud providers are FedRAMP-certified, it means that they secure their own environments. It does not mean they secure customers’ data. Agencies must make their own plans for protecting cloud-based data.

After all, if there is a breach, the agency’s leaders won’t go to the vendor; they will come to the IT team for answers.

Expand the Cyber WorkforceIt’s common knowledge that we are facing a shortage of security professionals, with as many as one million open jobs. Yet women, who are half the population, make up just 11 percent of the cybersecurity workforce. That’s why Palo Alto Networks is partnering with the Girl Scouts to establish 18 merit badges for cybersecurity, divided into online safety and network security engineering.

Now more than 2 million girls will be encouraged and guided from kindergarten through high school to become cybersecurity professionals. The idea is to keep them engaged in those subjects so that they eventually go to work in the cybersecurity field, where they can solve the challenges of the future.

Rick Howard is chief security officer at Palo Alto Networks.

RICK HOWARD CHIEF SECURITY OFFICER,PALO ALTO NETWORKS

HOW THE CYBER FIELD IS EVOLVINGNew approaches are streamlining security and targeting the next generation of cyber professionals.

carahsoft.com/innovation/paloaltonetworks-cybersecurity

C

M

Y

CM

MY

CY

CMY

K

PAN_Carasoft_NGFW-AW_AD.pdf 1 9/26/17 8:59 AM

SPONSORED CONTENT

C Y B E R S E C U R I T Y

carahsoft.com/innovation/paloaltonetworks-cybersecurity

C

M

Y

CM

MY

CY

CMY

K

PAN_Carasoft_NGFW-AW_AD.pdf 1 9/26/17 8:59 AM

6

SPONSORED CONTENT

C Y B E R S E C U R I T Y

CYBERSECURITY PROFESSIONALS have made it more difficult to penetrate networks, so threat actors have turned to e-mail as an attack vector. They are using spoofing,

phishing, malware, malicious URLs, and other techniques to trick users into facilitating their crimes. As a result, more than 90 percent of attacks now come through e-mail.

Hackers are typically after money, information and intellectual property. In a spoofing scenario, for example, an attacker pretends to be an engineering manager and asks a subordinate to e-mail the design documents pertaining to a new military aircraft. The employee then unwittingly sends the sensitive document to the attacker.

Stop Unknown ThreatsE-mail protection starts with a strong gateway. Spam blockers and antivirus protection only stop known threats, but there are solutions that can sift through massive amounts of data to identify potential threats before they get into a network or e-mail system.

For example, e-mail security solutions could recognize a malicious URL in a message purporting to be from the IT department, and if the e-mail was delivered, remove that malicious e-mail from the users’ inbox. Using DMARC-based technology, e-mail gateways can help verify the e-mail sender is indeed legitimate. There are also tools to prohibit distributing intellectual property outside the network, whether the sender is intentionally (i.e., the insider threat) or accidentally sending the document (fooled by a spoofed e-mail).

Mobile apps are another threat vector most people not only don’t consider, but are not prepared to manage. Mobile devices can be breached in many ways, and apps make them particularly vulnerable. Many government agencies are using vendor tools to vet those

apps before they install, looking for malicious intent, weaknesses and gaps.

Some solutions can conduct keyword searches of licensing agreements. Proofpoint recently reviewed an app that lets users snap a picture of a business card which then automatically creates a contact record in their e-mail system. Buried in the end-user license agreement, though, was a notification that the company planned to sell captured data.

Find the Right PartnersInstead of continuing to buy different solutions from different vendors, agencies should start with a blank slate, even if it means replacing aging technology. Then they can layer on security policies and automated tools to protect users, the data they create and the devices they use.

Agencies should look for companies with advanced solutions, deep roots in cybersecurity and strong research organizations. The best companies have teams that monitor cyberthreats worldwide and incorporate that threat intelligence into their products. Agencies should also evaluate multiple cybersecurity vendors and integrator partners. Security vendors would welcome the opportunity to share their approach to cybersecurity and often let agencies test their products in a live environment.

In terms of budget, agencies should look beyond the acquisition cost of the solution and also consider the cost of manpower and lost productivity for the cybersecurity team to perform remediation after a breach. An automated, holistic approach to a fluid threat environment can provide agencies with the protection they need and help IT focus on bigger-picture responsibilities.

Tony D’Angelo is vice president of federal at Proofpoint.

TONY D’ANGELOVICE PRESIDENT OF FEDERAL, PROOFPOINT

UNDERMINING HACKERS’ NEW TRICKSAgencies must keep their strategies fluid as threat actors target users via e-mail and mobile devices.

SPONSORED CONTENT

C Y B E R S E C U R I T Y

8

SPONSORED CONTENT

C Y B E R S E C U R I T Y

ALTHOUGH IT’S TRUE cyberattacks are getting more sophisticated, they are only as complex as they need to be to succeed. If hackers can break into a system using something simple, they’ll

save a more sophisticated attack for another day. We need to ensure we’re putting additional barriers in place that make the cyberattacker’s job more difficult.

It starts with basic cybersecurity hygiene, which should be an institutional component of what agencies do every single day. If their hardware does not support the latest operating systems and if they are not automatically deploying patches as quickly as possible, they should make it a priority.

Know Your AdversaryCyberthreats will continue to accelerate as we bring more assets online, which means CIOs and other agency leaders should be thinking about cybersecurity as an evolving problem. In the physical world, the Defense Department would not go into a battle without understanding who and where the adversaries are and what capabilities they have. Government agencies should take the same approach to the cyber realm.

When agencies understand their adversaries, they can look for additional indicators within their systems, and they can build a cybersecurity strategy that focuses on risk mitigation instead of regulatory compliance. It should be an intelligence-led strategy and it should permeate an agency’s entire computing environment.

IT leaders start by finding the answers to questions such as who are their adversaries? What are they after inside the agency? What tools do they use? What IP addresses do they typically come from? Could they have already compromised systems without the agency’s knowledge?

Some agencies are gathering their own threat intelligence by answering those questions. Then they’re combining it with commercial contextual

threat intelligence to give them a perspective that they haven’t had in the past.

The next step is using that intelligence to hunt for problems in agency networks—a process that will give IT leaders even more insight into their adversaries. The security team can then feed that intelligence back into the agency’s platform to make it smarter and able to continuously evolve.

From all that internal and external intelligence, agencies can begin to automate their security structure, eliminate false positives and create playbooks that help them orchestrate quick responses to cyberincidents so their security teams can focus on more complex problems.

The Right MetricsWe can’t secure everything, but we can succeed in the small battles by locking down critical assets and stopping data exfiltration when those assets are breached. As we close one hole and move on to the next, we’re making progress.

Instead of focusing on compliance, Congress and the White House should work together to ensure we’re grading agencies on the right metrics. For example, if a system is compromised but officials can show that nothing was exfiltrated; that’s a win. Those officials should not be taken to task for a breach that didn’t affect the agency but instead was a learning experience.

Although there are some pockets of excellence among agencies, an enormous effort still needs to be undertaken. Breaches are continuing despite the emphasis on compliance, but by creating an intelligence-driven strategy, agencies can move toward risk mitigation.

Tony Cole is vice president and global government CTO at FireEye.

TONY COLE VICE PRESIDENT AND GLOBAL GOVERNMENT CTO, FIREEYE

WIN CYBER BATTLESAn intelligence-led strategy shifts the focus from regulatory compliance to risk mitigation.

SPONSORED CONTENT

C Y B E R S E C U R I T Y

10

SPONSORED CONTENT

C Y B E R S E C U R I T Y

GOVERNMENT AGENCIES FACE daunting challenges to maintain compliance with policies, regulations and laws that govern data protection, cybersecurity and a host of other

mandates. The barriers to compliance are compounded by the geographically dispersed operations, complex IT environments and advanced cyberdefense programs managed by most agencies.

To overcome these hurdles and keep up with evolving standards, audit requirements and mission priorities, government professionals must have practical, manageable ways to continuously evaluate their compliance programs and security controls. They need to know what’s happening across their enterprise systems in real-time.

The key to this kind of situational awareness is the ability to aggregate and analyze all agency data, regardless of its location or source. Whether collected in the cloud, accessed on mobile devices or resident in legacy systems, data must be available to support an effective, informed and timely decision-making process.

This level of visibility into ongoing enterprise activity is the single-most empowering way for public sector managers to understand if their agency is meeting its mission and compliance objectives. It also provides a data-driven analytics approach to determine corrective actions when necessary. Not only is enterprise-level assessment an essential cornerstone of an effective compliance program, it also facilitates optimized IT operations and risk management.

How can agencies best leverage and exploit their data assets? Relying on an automated approach that helps manage data collection and visualization across whatever systems and technologies they are using is the most effective way. By deploying an automated solution, public sector professionals can collect, analyze and report on the volumes of data.

An effective compliance program—for cybersecurity monitoring, defense of Personally Identifiable Information (PII) or data and asset tracking—must be flexible, scalable and extensible. It should operate in real-time and be data source agnostic, centrally managed and federated to enable organization-wide use through role-based access control.

Why implement an automated compliance monitoring system? The main benefits are removing the tedium of manual and ad hoc data collection processes; liberating staff from time-consuming and error-plagued ventures by cutting across operational silos and automating data collection, aggregation and correlation. Reliance on automation can overcome the traditional challenges of ingesting and normalizing data by eliminating the need to fit incoming data into predefined schemas.

Once data is collected in an automated solution, it can be used to address multiple compliance mandates and emerging IT and security initiatives. For example, it can be adapted to monitor specialized compliance requirements such as those mandated in the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) standards, Criminal Justice Information Services (CJIS) system and others.

Whether agency professionals need to follow the guidance in the NIST Risk Management Framework (RMF) or other important mandates, the tangible benefits of monitoring and understanding the comprehensive and current state of enterprise systems and networks is undeniable. The ever-expanding universe of machine information being generated makes automation the only feasible strategy to meet the demands for continuous monitoring and compliance—today and tomorrow. Kevin Davis is vice president of public sector at Splunk.

KEVIN DAVIS VICE PRESIDENT OF PUBLIC SECTOR, SPLUNK

EXPERIENCE THE MANY BENEFITS OF MANAGING COMPLIANCEAgencies can ensure tighter compliance by automating data management tasks.

© 2017 Splunk Inc.

TURN YOUR SECURITY TEAM INTO AN ARMY.Splunk® solutions enable you to leverage your machine data and

build a stronger security posture with real-time analytics.

What can you do with Splunk?

Find out at carahsoft.com/innovation/splunk-cybersecurity.

AD-Splunk-MagicSketch-SIEM-8x10.75.indd 1 9/26/17 2:30 PM

SPONSORED CONTENT

C Y B E R S E C U R I T Y

© 2017 Splunk Inc.

TURN YOUR SECURITY TEAM INTO AN ARMY.Splunk® solutions enable you to leverage your machine data and

build a stronger security posture with real-time analytics.

What can you do with Splunk?

Find out at carahsoft.com/innovation/splunk-cybersecurity.

AD-Splunk-MagicSketch-SIEM-8x10.75.indd 1 9/26/17 2:30 PM

12

SPONSORED CONTENT

C Y B E R S E C U R I T Y

THE DAYS OF THE “Fortress Enterprise,” with clearly defined and protected edges to the computing environment, are over. As agencies update their cybersecurity strategy, the new normal of constant

expansion and contraction of the computing edge must be taken into account.

For decades, we have designed and implemented IT architectures with this image of defending a fortress. Clean edges, technologies, and carefully measured purpose vs. risk are all known, planned and purpose built. Almost as an afterthought, we would put in process controls to limit any changes. Once complete, the architecture became a reference document instead of an operating model.

With the adoption of the cloud and with agencies expanding the computing boundary into commercial data centers, that approach is no longer valid. Furthermore, with the advent of the Internet of Things (IoT) and the seemingly limitless potential for new devices connecting to our networks, we must be more contextually aware of the entire enterprise computing boundaries in real-time and adapt to a new holistic security service delivery model.

As we receive more data from IoT devices, we need a fully service-aware capability to understand the state of our computing environment and maintain a contextual understanding of risk. Employing platform-based modern applications that leverage a service-aware configuration management database (CMDB), platform automation and artificial intelligence (AI) can help agencies achieve real-time visibility, contextual awareness and their risk status. New technologies will enhance this coordinated and contextually aware approach to traditional network and security operations.

Automation and Artificial IntelligenceAs fast as threats are developed and new technologies are created to mitigate those

threats, the ability of agencies to acquire new computing capabilities are limited by traditional protocols. It is advisable to leverage a modern platform that delivers state of the art applications over an enterprise class cloud via a subscription acquisition model. That way agencies can finally keep up with current technology developments. Agencies have had to understand what technologies were available, then acquire and integrate that technology. Using a subscription-based model to acquire new software changes the game.

Agencies can modernize their environment to become service-aware. At its most mature end, this service-aware enterprise is driven by AI and machine learning. Having these game-changing technologies helps agencies understand and manage IoT. Alerts from the platform bring human decision-making into the event at the appropriate time with the information needed for a human decision.

Another critical cybersecurity component is the architectural approach to identity management and access control. Simply put, agencies must identify who is requesting access with what device and control their ability to interact with agency databases. Any issue with access control opens the door for bad guys to penetrate our defenses, infiltrate databases and steal information.

The service-aware enterprise must recognize the device, it’s location and its owner’s authority to access various data from our computing environment. This must be done in milliseconds and with near zero error rate, which automation and AI make possible. These elements working together in harmony creates the type of “living” service-aware enterprise necessary to operate securely in today’s world.

Bob Osborn is chief technology officer for federal at ServiceNow.

BOB OSBORN CHIEF TECHNOLOGY OFFICER FOR FEDERAL, SERVICENOW

BECOME A SERVICE-AWARE ENTERPRISE Understanding complex and changing boundaries reduces risk and increases security awareness.

SPONSORED CONTENT

C Y B E R S E C U R I T Y

Without rapid threat response, your security is incomplete

A serious threat has been detected—now what?

PROTECT: DETECT: RESPOND:

GET YOUR SECURITY IN CHECK

Frantic emails. Missed phone calls. Time-consuming manual processes. Without intelligent remediation tools, your security is incomplete. ServiceNow brings data from existing tools into a structured response engine that runs on the same platform as IT. Now alerts are automatically prioritized and you can solve real threats—fast.

www.carahsoft.com/innovation/servicenow-cybersecurity

servicenow.com

14

SPONSORED CONTENT

C Y B E R S E C U R I T Y

THE CYBER SECURITY CHALLENGES government agencies face are remarkably similar across all sectors. That’s because most security environments were built in a reactive

manner. As new threats crop up, we would address it with new technology. That bolted-on approach to cyber security (which was the only approach we had at the time) has led to complex, cumbersome and operationally inefficient environments not agile enough to respond to today’s threats.

Agency leaders are dealing with multiple tools with duplicate or overlapping capabilities. Human intervention is necessary to integrate all those systems, process all that data and take action against malicious actors, who are more sophisticated than ever.

Bad actors only have to be right once, but cyber security professionals have to be right every time. Therefore, agencies need systems that are standards-based, integrated and able to take automated action against cyber threats in real-time.

Signs of ProgressWe need to stop thinking about a hard perimeter. We must build an extensible platform that provides a standardized approach to security both on-premises and in the cloud by securing the data itself. We need to tie security policy to individual employees, no matter where they are or what device they are using.

Obviously, we know the intelligence community and Defense Department both house critical data. We found out the hard way that the Office of Personnel Management has some incredibly important data as well. And a lot of intellectual property from industry resides with government agencies, such as the Food and Drug Administration. Agencies need to ensure they are prioritizing their security investments around their most critical data.

Fortunately, the federal government is moving in the right direction. The cyber security sprint in 2015 improved visibility into agencies’ security postures. The Continuous Diagnostics and Mitigation program has helped government deploy security capabilities more effectively. In addition, President Donald Trump’s recent executive order on cyber security has made agency executives accountable for ensuring critical data is secured properly and investments in security infrastructure align with that data.

The order also promotes standardization in the form of the National Institute of Standards and Technology’s Cyber Security Framework and addresses the crucial need for IT modernization. Legacy systems are costly to maintain. It would be more efficient and cost-effective to update those systems when necessary and shift some of them to cloud-based or shared-services models. However, funding is always an issue, which is why passage of the Modernizing Government Technology Act is so important.

The Need For a PlanSecurity is more of an enabling technology than it’s ever been before, but a lot of agencies and even private sector organizations don’t have a cyber security reference architecture that maps technology requirements to mission objectives. A cyber security plan can help agencies avoid building complexity into their cyber security environments, which is the No. 1 barrier to a sound security posture.

Agencies can’t secure everything. Instead, they need to create risk mitigation strategies that align scarce cyber security resources—whether those are dollars, tools or people—against their most critical data.

Chris Townsend is vice president of federal at Symantec.

CHRIS TOWNSEND VICE PRESIDENT OF FEDERAL, SYMANTEC

RETHINK THE PERIMETERAgencies need to shift their focus from securing boundaries to protecting critical data.

SPONSORED CONTENT

C Y B E R S E C U R I T Y

www.carahsoft.com/innovation/symantec-cybersecurity

SPONSORED CONTENT

C Y B E R S E C U R I T Y

16

SPONSORED CONTENT

A CONVERSATION WITH KEVIN COXThe CDM Program Manager discusses the direction of the CDM program and how each phase will help agencies improve risk management and strengthen cyber efforts.

Executive Viewpoint

What is CDM, and how well is it understood by federal agencies?

CDM is Continuous Diagnostics and Mitigation, and we are working with agencies to implement technologies and processes to help them continuously monitor the cybersecurity posture of their systems and networks. Within the agency teams we are working with, I think CDM is well understood. But it’s important to continually communicate what our program is about and its direction, and how it can help agencies do cybersecurity better.

What is it that you are doing—through the CDM program—to help agencies improve their cybersecurity?

We have two models we use. In the first, we break things up into multiple phases, with phase one helping agencies to understand what is on their networks; phase two helping them understand who their credentialed users are and how they are managing tasks on the network; and phase three helping them understand what is happening on their network, that proper boundary protections are in place and then to identify incidents as they occur. A fourth phase is aimed at getting additional protections in place for data, such as data loss prevention, data rights management, etc. I think that whole approach has also helped agencies understand what CDM is about.

The other is what we call the ABCD model, which is a layered model. The A layer is down at the system level, where we get all of the sensors and other technologies to get continuous monitoring deployed. The B layer is where we integrate all of the data from the various agency centers, so that we can normalize and standardize it. We feed everything from that to the C layer—the agency dashboard—where we provide object

level data for the agencies to review and help track how their systems security is working in near real-time. The D layer is where we feed everything from the C level to the federal dashboard, which is how federal leadership can get a near real-time view of how all the government networks are working, which helps them with decision making, prioritization, resource management and so on.

Does this provide all of the information people need to know about CDM?

I think it certainly explains the big picture. What sometimes gets lost are the nuances around how we do CDM, what the technologies are, and things like schedule and rollout. That’s why we work continuously, on a daily basis, to keep getting the right information out to the right people, to answer their questions and then adjust the program as we get feedback from all of the involved parties.

How are the various phases of the CDM rollout progressing?

We grouped agencies into multiple groups to help with management of the rollout. Those to which the CFO Act (the 1990 Chief Financial Officers Act) apply are divided into A, B, C, D and E groups, and we offer a shared service effort to non-CFO agencies, and that’s group F.

Phase one is underway now, and a lot of the work in that will be completed by the halfway point of FY 2018, so we are actually coming into the last year of phase one. We’ve already made quite a bit of progress in getting technologies and processes out to the agencies to help them with cyber risk management.

Phase two has two functional areas, credential management and privilege

KEVIN COXCDM PROGRAM MANAGER, DHS

SPONSORED CONTENT

C Y B E R S E C U R I T Y

SPONSORED CONTENT

management, which means rolling out systems that can check how people access the network and various systems, and help agencies understand the behavior of users, that they are doing what they are supposed to be doing, and can report them when they step outside of the lines. All of that work is underway now, and should wrap up around the beginning of FY 2019.

Phase three is just getting underway now. What we do need to do is work with agencies to get new, longer term task orders in place to support the phase one and two work, as well as manage phases three and four. What we call the CDM DEFEND (Dynamic and Evolving Federal Enterprise Network Defense) is the program through which we’ll do that, and we’re working with the GSA now to complete that.

What benefits have agencies already seen from the CDM program?

Acquisition is one of the first big wins. We’ve been able to do procurements for multiple agencies at the same time, and as a result, have achieved significant savings with the volume discounts through the GSA Schedule 70 contracts. Second, we’ve identified quite a few more endpoints—servers, laptops, desktops, etc.—that are on agency networks that the agencies weren’t aware of before the CDM program.

With that discovery, we’ve been getting actual tools deployed that agencies can use to make sure all of their systems are properly patched and configured. One illustration of that was this past spring, when the WannaCry bug was discovered. Agencies were able to use the tools they had deployed to quickly see whether they had the appropriate patches in place to protect themselves. I think we’ll see more of these successes over the next few months.

As the rollout of the phases continues, how will agencies be able to use CDM? Can they directly affect change through the program itself?

The idea is that it will be an integrated program, but also open and flexible in terms of what tools are used and the processes implemented. We’re moving in the direction of defining

requirements for continuous monitoring and data reporting. As long as those requirements are met, agencies can use a series of different tools to get data to the dashboard layer, and there will undoubtedly be an evolution in the tools that are used.

As we move into phase three and four, we’re looking at a broad set of challenges that need to be addressed, so we’ve developed those new CDM DEFEND task orders to be open and flexible to be able to support different ways of doing the work while still making sure, at the end of the day, we ensure that agencies have continuous monitoring of their systems and the ability to do risk management.

With that end goal in mind, what can agencies do now to measure where they are with CDM and how well they are set up for the future?

From the quantitative and record-keeping side, it’s a matter of knowing which systems belong to which components or operational division with the agencies, and which stakeholders are associated with particular systems so they can be brought into the discussion. It’s also knowing what cybersecurity tools

they already have in place, what the licensing of those tools is, and up-to-date accounts of where the tools are deployed.

On the qualitative side, agencies need to really know their environment, what the mission areas are, have a good understanding of the culture, organization policies and procedures and so on. Bringing that knowledge to the conversation goes an incredibly long way to helping CDM be successful. When we have the best understanding from an agency about who all the stakeholders are, how the mission works and what the mission milestones and deadlines are, it changes the initial approach and we can craft the program to conform more closely to the organization’s needs. That way, it ultimately will be much more successful.

“The idea is that it will be an integrated program, but also open and

flexible in terms of what tools are used and the processes implemented.”