The ‘Next Chapter’ in Cyber Risk: Are Federal Agencies Prepared?
The latest study from MeriTalk finds increased technical collaboration across federal agencies and industry stakeholders, as well as some worrying gaps in cybersecurity fundamentals.
Tenable recently co-sponsored a MeriTalk study conducted to assess the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, the initiative that provides cybersecurity tools and guidance to all federal agencies. MeriTalk surveyed over 100 federal and industry CDM stakeholders to capture their thinking about the state of the program and recommendations for its future direction. In reviewing the report, titled “CDM: The Next Chapter,” we came away with a mixture of excitement and trepidation.
It is exciting, for example, that a solid majority of respondents (59%) report that federal agencies are implementing CDM tools as part of an integrated cyber defense strategy (rather than a stand-alone program). Less exciting is the fact that 90% of respondents see adversaries as gaining the upper hand, and 68% find that CDM is not adapting fast enough to protect expanding cloud and mobile environments. Below we take a deeper look into some key “takeaways” not readily apparent from the report’s headlines.
Good news: Cross-agency teamwork is happening at many levels
Since its inception, CDM has been about teamwork. Designed as a groundbreaking effort to bring all federal agencies together to fight a common fight, CDM continues to invoke a team ethos not only among federal agencies, but also between federal and industry participants, and among different cybersecurity programs. Examples include:
- New shared services: From “Security Operations Center (SOC) as a Service” to the Cybersecurity and Infrastructure Security Agency’s recently approved QSMO marketplace, responses made clear that the federal enterprise is moving rapidly toward a “circle the wagons” approach that recognizes a shared need to defend against common enemies.
- Moving toward automation: Respondents overwhelmingly (82%) recognized the importance of integrating Trusted Internet Connections (TIC) 3.0 into CDM, with automated TIC data feeds supporting CDM reporting. 97% saw benefits in leveraging automation in general.
- Integration from both sides: Federal respondents pointed to integrating cyber initiatives as a top priority; industry stakeholders emphasized the need for federal guidance, with “improving integration” following closely behind.
It appears from the MeriTalk report that CDM stakeholders are in agreement that cybersecurity is truly a team sport. And with promising initiatives on the horizon, such as CISA’s centralized marketplace, it seems highly likely that the teamwork trend will continue to accelerate in CDM’s next chapter.
Not-so-good news: Too many teams are forgetting the asset management fundamentals
Speaking of sports, it is a long-accepted truth that building on solid fundamentals is an essential path to success in athletic competition. The same could be said for cybersecurity. One slide in the “Next Chapter” presentation gave us particular concern on that front. In a poll of federal-only respondents, 33% felt that they could only “somewhat” answer that most basic CDM question: “What is on the network?” Conversely, only 17% felt that they had complete, real-time visibility into the assets on their network environment.
Answers to the other core CDM “capability” questions revealed slightly better results. All areas left room for improvement, but this fundamental gap in asset management proficiency is a warning flag that must not be ignored. If you don’t know which assets are on your network, it follows that you don’t know what your vulnerabilities are. That cyber exposure gap needs to be closed before a secure expansion effort can proceed.
Back in the spring of 2017, the deployment of CDM tools revealed a 44% undercount in devices attached to the network. This cyber exposure chasm of “shadow IT” caused a major re-calibration of the scope of work required to achieve CDM goals. The fact that one-third of federal respondents in this latest survey feel unable to fully answer the “what is on the network” questions seems to indicate that, in spite of the tremendous progress of CDM over the past three years in closing the gap, there is still much work to be done.
How federal agencies can excel beyond the cybersecurity basics
Indeed, “gap-fill” requests continue to stream in from federal agencies. CDM’s ability to quickly deploy the necessary tools to fill those gaps will determine the rate at which planned expansion into cloud and mobile environments can proceed. At Tenable, we are committed to helping CDM close these cyber exposure gaps. Tenable.sc Continuous View is the vulnerability management platform that enables federal agencies to discover all assets in their network environment and identify the vulnerabilities in those devices. Deploying active Nessus scanners, passive “always on” Nessus Network Monitors, and Nessus agents can achieve complete visibility in today’s increasingly remote network environment.
Another exciting development in Tenable.sc is its Predictive Prioritization capability. Once gap-fill efforts disclose new vulnerabilities, the need to prioritize effectively, and to focus on those that truly pose threats, becomes paramount. Using legacy methods like CVSS as the basis for this prioritization will quickly lead to “vulnerability overload.” Last year, over 30% of the 17,000+ new vulnerabilities carried a CVSS score in the “high” or “critical” range. But past experience has shown definitively that the vast majority of those vulnerabilities pose no serious threat.
Predictive Prioritization is a data science-based process that goes beyond CVSS and re-prioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a Vulnerability Priority Rating (VPR) to every vulnerability – including those that have yet to be published in the U.S. National Vulnerability Database (NVD) – and updates the ratings daily based on threat intelligence, exploit activity and multiple other data inputs.
The Tenable data science team estimates that, on average, only 3% of vulnerabilities are actually exploited. Putting this into perspective, if you used VPR for prioritization, you would only need to patch about 500 of those 17,300 new vulnerabilities to eliminate all critical threats that posed a risk of exploitation. This is far more feasible than guessing which of the 5,300 critical or high CVSS vulnerabilities matter.
By using VPR, and other capabilities that enable a risk-based approach to vulnerability management, agencies can immediately operationalize the objective of the new CDM dashboard ecosystem – assembling the tools and information that “allow agencies to ‘fix the worst problems first' across their networks.”
Join us on June 9th for CDM Central
The virtual CDM Central conference, "Tales From the Frontlines," will be streaming live on June 9. We’ll be there along with MeriTalk and federal IT leaders addressing the current state of the CDM program, and what’s in store for the program’s chapters ahead. Visit us at our virtual booth where we can interact through virtual chat features, live demos, and more. You can register here.
Get more information
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.