Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Is the DHS Continuous Diagnostics and Mitigation Program Enough?

Just Deploying Best-of-Breed Security Tools Has Proven to be Insufficient in Mitigating Today’s Cyber Threats…

Just Deploying Best-of-Breed Security Tools Has Proven to be Insufficient in Mitigating Today’s Cyber Threats…

In light of the massive data breach at the United States Office of Personnel Management (OPM), the need to protect government networks is more urgent than ever. These networks and systems contain sensitive data on everything from healthcare information to national security. In response to mounting cyber threats, the Department of Homeland Security (DHS) initiated the Continuous Diagnostics and Mitigation (CDM) program to safeguard and secure Federal Information Technology networks. The big question remaining is whether the DHS CDM program can really strengthen the security posture of government networks.


The data breach at OPM, which resulted in the exfiltration of sensitive data belonging to 22 million current and former federal employees, highlights the advanced threats Federal networks are confronted with on a daily basis — as well as the severe consequences of inadequate threat defenses. In 2013 the Office of Management and Budget (OMB) mandated all agencies to manage information security risk on a continuous basis using organizational risk management principles. The centerpiece of this initiative, the DHS CDM program, is being deployed in three phases between now and the end of fiscal 2017:

Phase 1: Equips agencies with tools, sensors, and procedures to know what IT hardware and software assets they have on their networks, how they are configured, and where existing vulnerabilities exist.

Phase 2: Provides network boundary controls, tools, and procedures to ensure all persons using Federal networks are known and authenticated and that their access is properly managed based on their individual levels of information privilege.

Phase 3: Provides physical boundary controls and tools to enable agencies to respond to events and incidents in a risk-based, prioritized fashion.

Since the CDM program is still taking shape, it’s not surprising that the OMB issued a new memorandum on October 30, 2015 that outlines critical steps for improving Federal information security in the interim. These steps include Federal adoption of the NIST Cybersecurity Framework, increased CyberStats and Privacy Program reviews, implementation of a Cybersecurity Sprint, and more stringent reviews of security in third-party contracts. Otherwise, the OMB continues to push for the efficient and effective acquisition and deployment of existing and emerging technology under the CDM program umbrella.

However, just deploying best-of-breed security tools has proven to be insufficient in mitigating today’s cyber threats. The data breach at Target was a good example of this. The greatest challenge to protecting against cyber threats is establishing a timely and actionable warning system to identify attacks and vulnerabilities within the network and IT supply chain. Detection and timely remediation remains a significant technical challenge.

Considering the massive volume of assets, associated controls, and vulnerabilities that agencies have to deal with under a continuous monitoring concept, they often lack the resources to handle the aggregation, normalization, and correlation of this data. This results in lengthy remediation cycles. Another challenge facing government IT is putting vulnerabilities into the context of the risk associated with them. Without proper risk-based scoring of vulnerabilities, organizations often misalign their remediation resources. This is not only a waste of money, but more importantly creates a longer window of opportunity for hackers to exploit critical vulnerabilities. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw.

Instead of solely relying on scans of Federal networks to detect flaws, anomalies and suspicious incidents, and alert IT through various dashboards, more progressive government agencies have started to leverage emerging big data risk management technology to create a security orchestration overlay. This model enables security teams to break down data silos and correlate threat information to achieve an intelligent, integrated, risk-based approach to vulnerability response management. It also establishes processes for automatically generating tickets to remediate prioritized vulnerabilities, tracking them until closed and providing reports when they are successfully mitigated.

Related: Think Tank Pushes Continuous Monitoring To Help Federal Agencies Combat Cyber Attacks

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem