CDM’s ‘delicate dance’ helping coronavirus agencies fend off cyberattacks

The program was tasked with the job on top of its core work, without any additional funding.
Kevin Cox, CDM, Department of Homeland Security, DHS
Kevin Cox speaks April 25, 2019, at the Security Through Innovation Summit presented by McAfee and produced by FedScoop and CyberScoop. (FedScoop)

The Continuous Diagnostics and Mitigation (CDM) program has successfully helped agencies central to the federal coronavirus response fend off opportunistic cyberattacks because it already had the necessary mechanisms in place, the program’s director said.

CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) task orders were designed to assist agencies with incident understanding and accelerating development of the program’s capabilities when needed.

Network security and management capabilities, including some cloud security efforts, have been accelerated at a number of agencies, Kevin Cox, CDM program manager, said during an ATARC webinar Thursday.

“At the start of the pandemic, there were a handful of agencies, some of which were tied in with the key response activities, that were starting to see increases in malicious traffic — increases in terms of malicious attacks,” Cox said. “We know that our nation-state and criminal adversaries are looking at where they can exploit events like this to get more access to try to get data, try to do malicious things on the network.”


CDM has been doing this work on top of its usual mission helping agencies monitor their information technology assets, data access in the cloud and identity lifecycles.

The program has been largely successful in keeping cloud pilots moving, but a “delicate dance” has ensued with its stepped-up role because it’s only funded for the traditional work, Cox said.

One of CDM’s main initiatives, a new dashboard, will be deployed among an initial set of Chief Financial Officers Act agencies in July. The old dashboard had difficulty scaling with large data sets, so CDM has worked with tech consultant ECS on an elastic search dashboard that uses an Elasticsearch, Logstash, Kibana (ELK) stack.

CDM integrators have been testing the dashboard, which is expected to be provided to all agencies in fiscal 2021.

The program is also working to fully operationalize the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, its near real-time measure of agencies’ success implementing basic security practices like vulnerability, patch and configuration management. A smaller cumulative score represents a smaller cyberattack surface.


CDM plans to begin certifying agencies to use the algorithm in July, but first in needs to ensure scores accurately reflect agencies’ IT environments.

“Before we can fully operationalize AWARE, what we’ve been working with the agencies and the system integrators on is data quality — continual data quality coming up from the sensors and scanners, up through the dashboards, up to the federal dashboard,” Cox said. “So we’ve developed a data quality management process, a data quality rubrik.”

Latest Podcasts