Homeland Security CDM dashboard lacks key data, IG report finds
The Department of Homeland Security can’t prioritize or respond to cybersecurity risks in real time because its internal Continuous Diagnostics and Mitigation (CDM) dashboard lacks some of the necessary data, according to its Office of Inspector General (OIG).
DHS‘ OIG found the dashboard reported less than half of the required data on network assets because collection hadn’t been automated and integrated for every agency in the department as of March 2020, in a report released Tuesday.
While the report is DHS specific, its Cybersecurity and Infrastructure Security Agency, which manages the entire CDM program, came under fire from lawmakers in March when agencies governmentwide struggled to assess the effects of recent, high-profile supply chain attacks like the SolarWinds hack.
“According to DHS, its current dashboard could not yet handle the required volume of data or report all data to the federal dashboard as required,” read the report published on Tuesday.
“Until the DHS dashboard is fully functional, DHS cannot leverage the intended benefits of the dashboard to manage and respond to cybersecurity threats.”
According to the report, the DHS Office of the Chief Information Security Officer’s dashboard only reported 40% of hardware assets, 24% of software assets, 18% of configuration settings and 16% of vulnerability management.
It found also that the CDM dashboard was developed with software that couldn’t handle the data volume, and a new dashboard on a more robust platform was not expected until early 2021 at the earliest.
The study found also that out of $180 million spent on CDM, at least $38 million was wasted because certain essential system tools were removed and not replaced.
DHS OIG also found three critical and eight high-risk vulnerabilities across the department’s operating systems and databases, with 10 of the 11 occurring on multiple systems.
Lastly, DHS OIG found agencies were not on track to implement the required configuration settings for their CDM servers, leaving them vulnerable to disruptions and cyberattacks.
DHS OIG recommended OCISO update the department’s CDM program plan with appropriate deadlines for its dashboard transition, agencies’ tool replacements and data integration; address system and database vulnerabilities; and define patch management responsibilities.
The department has agreed with the recommendations, noting that patch management responsibilities were defined on July 6, 2016.
“While DHS acknowledges the initial challenges in fully implementing its [CDM] program, the statement that the department ‘has not yet strengthened its cybersecurity posture,’ is inaccurate,” wrote the department’s GAO-OIG Liaison Office in its response.
“In addition, DHS disagrees with the assertion that $38 million was wasted during the initial effort to design and deploy a department-wide solution.”
The Government Accountability Office found that no agency governmentwide had implemented all the key requirements of the CDM program, in a report released in August.
During a March Senate hearing, CISA’s Acting Director Brandon Wales said almost all parts of every agency had achieved a common CDM baseline as the program closes out Phases 1 and 2 of the program this year.
Just over a month later, CDM Program Manager Kevin Cox announced plans to depart and return to the Department of Justice as its deputy chief information officer.