New Federal IT Modernization Plan Will Drive CDM Program Changes

Posted by John Slye on February 1, 2018

Cyber security

The new federal IT Modernization plan will impact the Continuous Diagnostics and Mitigation cybersecurity program in several ways.

In a previous entry, I discussed the overarching high-level points of the final Report to the President on Federal IT Modernization, released by the American Technology Council in late December, 2017. The report focuses on the modernization of federal IT systems to improve the government’s security posture and improve the economies and efficiencies of federal IT asset acquisition and management. The ATC includes several direct recommendations and direct implications for the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, which has been in-process since 2013.

In the report the ATC emphasizes that “the existing federated and distributed approach to IT is no longer sustainable in an increasingly mobile, cloud-based, and complex digital world.” Similarly, agency efforts to build and operate effective cybersecurity operations is hampered by resource limitations in skilled personnel and costly, complex and rapidly evolving security technologies. The ATC acknowledges that current efforts like CDM have been working toward deploying common security tools across all agencies and integrating large and small agencies into a shared cybersecurity approach and awareness but that many of these efforts, including CDM, have been plagued by delays and have yet to produce their full potential.

Push for Cloud Migrations Will Impact CDM

The overarching theme of the IT Modernization Plan is to “bring the government to the cloud and the cloud to the government” by rapidly increasing agency migration to commercial cloud services, where appropriate. This has immediate implications for the CDM program, which has factored cloud computing into its long-term phased approach, but to date has focused on securing on-premise networks.

As agencies re-architect their IT infrastructure to be more amenable to cloud deployments, one recognized challenge is that agency security staff may not have the training and expertise to operate and secure systems in the updated architecture. To address the challenge, the ATC will leverage the CDM program to develop this expertise and provide it to agencies.

Cybersecurity Modernization and CDM

Under the plan’s priorities of modernizing Trusted Internet Connections (TIC) and National Cybersecurity Protection System (NCPS) in order to improve protections, remove barriers, and enable commercial cloud migration, DHS will provide recommendations to the Office of Management and Budget (OMB) on how the NCPS and CDM programs can be updated to enable a layered security architecture that facilitates transition to modern computing in the commercial cloud. DHS is also charged with leveraging existing CDM capabilities to automate TIC metric collection and compliance processes to improve both security and availability measures.

CDM Recommendations in the IT Modernization Plan

Specific recommendations related to CDM within the ATC report include the following:

  • DHS and GSA are to finalize an acquisition strategy that cover CDM lifecycle support services and solution development and implementation services for CDM Phases 3 and 4 and beyond, including cloud security. These would result in new, long-term task orders under GSA’s Alliant contract vehicle. The acquisition strategy is due within 60 days, so in early March, 2018.
  • DHS is to obtain an initial Authority to Operate (ATO) for the CDM Group F Platform (Non-CFO Act Agencies.) Upon completion of the authorization process, DHS will begin onboarding agencies onto CDM to provide continuous monitoring as a service capabilities. The ATO is due within 125 days, so during the summer of 2018. At that point, DHS would update OMB on the number and status of Memoranda of Agreement (MOAs) it has established with non-CFO Act agencies and submit a plan for onboarding them to CDM.
  • DHS will complete the data exchanges between the various agency- and government-wide CDM dashboards to achieve enterprise-wide situational awareness of federal cyber posture, due within 150 days, so by mid-summer 2018.
  • DHS will implement a concept of operations for the federal CDM dashboard to include procedures to manage cyber risks across the enterprise and other relevant factors, due within 180 days, so by the end of FY 2018.
While most of the report recommendations and other provisions serve to bolster existing elements and goals within the CDM program, the emphasis on expediting cloud migrations at federal agencies – and pressing CDM to adapt to cloud architectures alongside agencies – is a significant element to the modernization plan and will challenge CDM and industry partners to adapt.