The recently passed National Defense Authorization Act requires the Department of Defense to compare the capabilities of its Comply-to-Connect initiative (C2C) to those that the Department of Homeland Security successfully deployed through its Continuous Diagnostics and Mitigation (CDM) program.
Why is Congress interested in the similarities and differences of these two initiatives? And what does their interest tell us about the future of these programs?
The first two phases of CDM were focused on basic cyber hygiene, which is foundational to securing an IT network. Phase one focused on understanding what was on the network. Phase two focused on the people — who’s connected and what privileges they have.
The next phase of CDM is about mitigating risk. The challenge for the DHS and federal civilian agencies is to determine how to manage risks that CDM tools identify, such as unpatched software, devices with critical vulnerabilities, or devices that are not allowed on federal networks. Ultimately, how successful CDM and C2C are at mitigating risk will determine the success of these key programs.
The long road ahead
From an acquisition and deployment perspective, CDM has made more progress (or at least is more mature) than the DoD’s C2C initiative. Even though senior DoD leadership is currently developing its own structure and requirements for C2C, the two programs still have a lot in common.
C2C and CDM share the same strategy and approach to security: Information Security Continuous Monitoring. Both programs take holistic, enterprisewide approaches to securing large and diverse swaths of federal IT networks — something many people didn’t think was possible when CDM began five years ago. CDM is being rolled out across the entire federal civilian enterprise (with a few minor exceptions), and C2C is following a similar path in the DoD. Neither program attempts to solve discrete cybersecurity problems. Instead, they address many challenges, such as patching and vulnerability remediation. Most importantly, both are fundamentally changing the speed at which federal organizations identify and mitigate risk.
Continuous, real-time monitoring is a paradigm shift from legacy, compliance-based approaches to security. In the past, FISMA and other types of reporting on threats or the security posture of federal departments was done annually — quarterly at most. With both C2C and CDM, risk profiles are determined upon connection of a device, and any changes in behavior are detected and assessed immediately.
Building on the success of CDM
Because of these similarities, there are many lessons the DoD can learn from the DHS and their federal civilian counterparts. One oft-cited advantage of the CDM program is the fact that standardized reporting and toolsets breed substantial cost savings. In fact, the May 2017 executive order directed agencies to utilize shared IT services and platforms as much as possible to achieve cost savings. CDM and C2C are both terrific examples of this.
Another key lesson the architects of the C2C initiative can learn from CDM is the importance of good cyber hygiene. Mitigating risk, such as preventing noncompliant or suspicious endpoints from connecting to the network, is the end goal, but understanding the “what” and “who” is a necessary foundation. Future capabilities, as well as executive decision making, will be dependent on the complete ability to know what and who are connected to government networks as well as a continuous understanding of how this information changes minute-to-minute. The fact that the DHS is rapidly developing a more complete picture of enterprise risk to federal networks is a significant achievement for CDM.
Additionally, even though CDM is moving into a new phase, the DHS has taken the time to step back and assess the success of phase one and phase two deployments. That’s quite prudent. The DoD, in addition to seeing what gaps CDM has faced and addressed, should engage in similar self-assessment practices as C2C moves forward.
Differences between CDM and C2C
There are some key differences between CDM and C2C. CDM is a voluntary security offering that the DHS coordinates and delivers to federal civilian departments and agencies. Although departments and agencies are mandated to do continuous monitoring, they are not required to participate in the CDM program. C2C, on the other hand, while not yet a program of record, will likely be mandated for the DoD and centrally procured — quite a different model.
Also, while Congress is asking the DoD to refer to the DHS’s success with CDM, C2C could be poised to offer even greater cost-savings because it will incorporate existing tools. The Pentagon already has several existing tools related to vulnerability and risk management and plans to build on what has already been procured and successfully used.
There’s still a long way to go with C2C, but there’s also a lot of enthusiasm to get started. The Marine Corps is deploying C2C enterprisewide now, and others have similar plans.
C2C and CDM will significantly improve agencies’ cyber postures, in part by giving them unprecedented domain awareness. The ability to make determinations in real time — and to automate action based on what’s discovered at the federal level — is a game-changer.
Erik Floden is the director of global strategic alliances for network security company ForeScout Technologies.