While the program has met two of its goals, it lacks sufficient guidance for managing network security and data protection. The program generally supports government-wide cybersecurity initiatives, but DHS's Cybersecurity and Infrastructure Security Agency hasn't finalized all plans for how CDM can provide support. For example, the agency hasn't fully updated the program's cloud asset management guidance.
The Department of Homeland Security (DHS) established the Continuous Diagnostics and Mitigation (CDM) program in 2012 to strengthen the cybersecurity of government networks and systems. Its goals are to: (1) reduce exposure to insecure configurations or known vulnerabilities; (2) improve federal cybersecurity response capabilities; (3) increase visibility into the federal cybersecurity posture; and (4) streamline Federal Information Security Modernization Act of 2014 (FISMA) reporting. The Cybersecurity and Infrastructure Security Agency (CISA) manages these goals across four capability areas (see figure). The program is meeting two of its four goals and partially meeting the other two, as discussed below.
Figure: Continuous Diagnostics and Mitigation Capability Areas
CDM has met two goals. First, it is reducing exposure to insecure configurations and known vulnerabilities—22 of 23 agencies reported that the program was helpful in accomplishing this. CDM is also meeting its incident response capability goal.
The program, however, has been less successful in meeting the other two goals.
Although CISA developed dashboards to visualize and provide insight to the federal cybersecurity posture and the associated capability areas noted above, officials from 21 of 23 agencies stated that they had not yet fully implemented network security and data protection capabilities. Several agencies cited a lack of guidance as contributing to the slow implementation.
No comments:
Post a Comment