Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


The ‘Next Chapter’ in Cyber Risk: Are Federal Agencies Prepared?

The latest study from MeriTalk finds increased technical collaboration across federal agencies and industry stakeholders, as well as some worrying gaps in cybersecurity fundamentals.

Tenable recently co-sponsored a MeriTalk study conducted to assess the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, the initiative that provides cybersecurity tools and guidance to all federal agencies. MeriTalk surveyed over 100 federal and industry CDM stakeholders to capture their thinking about the state of the program and recommendations for its future direction. In reviewing the report, titled “CDM: The Next Chapter,” we came away with a mixture of excitement and trepidation.

It is exciting, for example, that a solid majority of respondents (59%) report that federal agencies are implementing CDM tools as part of an integrated cyber defense strategy (rather than a stand-alone program). Less exciting is the fact that 90% of respondents see adversaries as gaining the upper hand, and 68% find that CDM is not adapting fast enough to protect expanding cloud and mobile environments. Below we take a deeper look into some key “takeaways” not readily apparent from the report’s headlines.

Good news: Cross-agency teamwork is happening at many levels

Since its inception, CDM has been about teamwork. Designed as a groundbreaking effort to bring all federal agencies together to fight a common fight, CDM continues to invoke a team ethos not only among federal agencies, but also between federal and industry participants, and among different cybersecurity programs. Examples include:

  • New shared services: From “Security Operations Center (SOC) as a Service” to the Cybersecurity and Infrastructure Security Agency’s recently approved QSMO marketplace, responses made clear that the federal enterprise is moving rapidly toward a “circle the wagons” approach that recognizes a shared need to defend against common enemies.
  • Moving toward automation: Respondents overwhelmingly (82%) recognized the importance of integrating Trusted Internet Connections (TIC) 3.0 into CDM, with automated TIC data feeds supporting CDM reporting. 97% saw benefits in leveraging automation in general.
  • Integration from both sides: Federal respondents pointed to integrating cyber initiatives as a top priority; industry stakeholders emphasized the need for federal guidance, with “improving integration” following closely behind.

It appears from the MeriTalk report that CDM stakeholders are in agreement that cybersecurity is truly a team sport. And with promising initiatives on the horizon, such as CISA’s centralized marketplace, it seems highly likely that the teamwork trend will continue to accelerate in CDM’s next chapter.

Not-so-good news: Too many teams are forgetting the asset management fundamentals

Speaking of sports, it is a long-accepted truth that building on solid fundamentals is an essential path to success in athletic competition. The same could be said for cybersecurity. One slide in the “Next Chapter” presentation gave us particular concern on that front. In a poll of federal-only respondents, 33% felt that they could only “somewhat” answer that most basic CDM question: “What is on the network?” Conversely, only 17% felt that they had complete, real-time visibility into the assets on their network environment.

Answers to the other core CDM “capability” questions revealed slightly better results. All areas left room for improvement, but this fundamental gap in asset management proficiency is a warning flag that must not be ignored. If you don’t know which assets are on your network, it follows that you don’t know what your vulnerabilities are. That cyber exposure gap needs to be closed before a secure expansion effort can proceed.

Back in the spring of 2017, the deployment of CDM tools revealed a 44% undercount in devices attached to the network. This cyber exposure chasm of “shadow IT” caused a major re-calibration of the scope of work required to achieve CDM goals. The fact that one-third of federal respondents in this latest survey feel unable to fully answer the “what is on the network” questions seems to indicate that, in spite of the tremendous progress of CDM over the past three years in closing the gap, there is still much work to be done.

How federal agencies can excel beyond the cybersecurity basics

Indeed, “gap-fill” requests continue to stream in from federal agencies. CDM’s ability to quickly deploy the necessary tools to fill those gaps will determine the rate at which planned expansion into cloud and mobile environments can proceed. At Tenable, we are committed to helping CDM close these cyber exposure gaps. Tenable.sc Continuous View is the vulnerability management platform that enables federal agencies to discover all assets in their network environment and identify the vulnerabilities in those devices. Deploying active Nessus scanners, passive “always on” Nessus Network Monitors, and Nessus agents can achieve complete visibility in today’s increasingly remote network environment.

Another exciting development in Tenable.sc is its Predictive Prioritization capability. Once gap-fill efforts disclose new vulnerabilities, the need to prioritize effectively, and to focus on those that truly pose threats, becomes paramount. Using legacy methods like CVSS as the basis for this prioritization will quickly lead to “vulnerability overload.” Last year, over 30% of the 17,000+ new vulnerabilities carried a CVSS score in the “high” or “critical” range. But past experience has shown definitively that the vast majority of those vulnerabilities pose no serious threat.

Predictive Prioritization is a data science-based process that goes beyond CVSS and re-prioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a Vulnerability Priority Rating (VPR) to every vulnerability – including those that have yet to be published in the U.S. National Vulnerability Database (NVD) – and updates the ratings daily based on threat intelligence, exploit activity and multiple other data inputs.

The Tenable data science team estimates that, on average, only 3% of vulnerabilities are actually exploited. Putting this into perspective, if you used VPR for prioritization, you would only need to patch about 500 of those 17,300 new vulnerabilities to eliminate all critical threats that posed a risk of exploitation. This is far more feasible than guessing which of the 5,300 critical or high CVSS vulnerabilities matter. 

By using VPR, and other capabilities that enable a risk-based approach to vulnerability management, agencies can immediately operationalize the objective of the new CDM dashboard ecosystem – assembling the tools and information that “allow agencies to ‘fix the worst problems first' across their networks.”

Join us on June 9th for CDM Central

The virtual CDM Central conference, "Tales From the Frontlines," will be streaming live on June 9. We’ll be there along with MeriTalk and federal IT leaders addressing the current state of the CDM program, and what’s in store for the program’s chapters ahead. Visit us at our virtual booth where we can interact through virtual chat features, live demos, and more. You can register here.

Get more information

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.