No agency has implemented every key CDM requirement, seven years later
No agency has implemented all the key requirements of the Continuous Diagnostics and Mitigation program, despite having generally deployed its tools for relaying cybersecurity data to agency and federal dashboards.
The CDM program has improved agency awareness of the hardware on their networks, but only at a “foundational” level, according to a Government Accountability Office audit conducted between February 2019 and early August 2020.
GAO selected three agencies with varying numbers of connected devices but high CDM tool acquisition: the Federal Aviation Administration, Indian Health Services and Small Business Administration. And the audit found they’d implemented software management requirements but “inconsistently” implemented configuration settings management requirements.
“Moreover, poor data quality resulting from these implementation shortcomings diminished the usefulness of agency dashboards to support security-related decision making,” reads the report. “Until agencies fully and effectively implement CDM program capabilities, including the foundational capability of managing hardware on their networks, agency and federal dashboards will not accurately reflect agencies’ security posture.”
The Department of Homeland Security established the currently $10.9 billion CDM program in 2013 to supply agencies with tools for continuously monitoring their networks. The automated tools identify hardware and software on networks, compare their cybersecurity performance to expected outcomes and feed that data to agency and federal dashboard.
But GAO found that hardware counts were inaccurate because the contractors that agencies relied on to install and troubleshoot tools didn’t assign them unique identifying information. And DHS hadn’t ensured integrators addressed such shortcomings.
Further agencies didn’t always compare network configuration settings to core federal benchmarks for maintaining a standard level of security, according to the report.
The agencies audited cited limited resources and difficulty resolving problems with contractors.
DHS tracks risks of insufficient resources, provides forums for agencies to express concerns and solicits feedback on contractor performance, GAO found. Still, the watchdog made six recommendations to the department, including ensuring that contractors provide unique hardware identifiers.
GAO made six additional recommendations to the agencies audited, namely that they compare configurations to benchmarks. All recommendations were concurred with.
