What Does The Next Chapter For Continuous Diagnostics and Mitigation (CDM) Look Like? - Ep. 97

Diagnostics and Mitigation (CDM) program is evolving to lead the effort to reduce cyber risk. And to provide visibility across the federal government. Jason DeShano,  Chief Architect for the Continuous Diagnostics and Mitigation (CDM) Booz Allen Hamilton answers the hard questions.

Table of Contents

• [01:23] Improving Cybersecurity Posture via Continuous Diagnostics Mitigation
• [07:23] One of the Benefits of Work From Home
• [12:36] TIC’s Involvement  From a Continuous Diagnostics Mitigation Perspective
• [19:10] The Crown Jewels
• About Our Guest

Improving Cybersecurity Posture via Continuous Diagnostics Mitigation

Carolyn: This morning we have Jason DeShano. He serves as the Chief Architect for Continuous Diagnostics and Mitigation (CDM) portfolio with Booz Allen's cyber and engineering group. And he has significant experience with CDM in many roles.

Carolyn: He started out as an agency lead at BAH and USDA, and then worked his way up to become the delivery lead across group B. And now is the solution architect for all of group B.

Carolyn: Thank you for being here, Jason. Will you refresh our memories of what Continuous Diagnostics Mitigation is?

Jason: Continuous Diagnostics Mitigation is a DHS-led program that's focused on improving cybersecurity posture within all the federal civilian agencies. The way that DHS has gone about this is to organize all the federal civilian agencies into different groups. Groups A through F, alpha through foxtrot.

Jason: Each group has an individual contract and a separate system integrator that focuses on a particular group of agencies. So Booz Allen, we have the two largest groups, which are B and D, bravo and delta. It covers about 80% of the end points within the federal civilian agencies.

Eric: This is a cyber security program under CISA with Brian Krebs?

Jason: That's correct.

Carolyn: What's the big deal? If I'm at one of these agencies, why do I care?

Jason: You care because there's different drivers for that. Some of it is with the changes that are happening in a couple of different areas. There's certainly some policy things that are happening at the Hill level or within DHS and CISA.

Sophisticated Nation State Attacks

Jason: The bigger driver really is there's so many changes happening in the threat landscape right now. There are sophisticated nation state attacks. We saw the recent things happening with HHS. You can go out there and Google and find out about them. But also just with this new normal we're in.

Jason: Nothing like a pandemic to drive people to change with this normal. Then, there's technology changes happening. Continuous Diagnostics Mitigation is a great program and has the backing of Congress, has the backing of DHS and CISA. It not only to bring new technologies, but also to bring in the funding to help these agencies modernize their cybersecurity.

Eric: There's a ton of funding, Carolyn. Last I checked, over $3 billion in total right now. Jason, how long has the program been? Was it 2011?

Jason: Somewhere around there, 2011.

Eric: We're coming up on almost a decade of working on improvement and progress.

Jason: The contract that we're in now is about five years that we've been executing so far.

Carolyn: I just caught the word that made it relevant for me, the modernization. That's the driver behind Continuous Diagnostics Mitigation.

Eric: It's a big driver.

Carolyn: What are other drivers behind it?

Jason: Some of the other things are the recognition of the changes in threats that are happening right now. The amount of attacks that are happening on these agencies are increasing every single year. They're getting more sophisticated.

Carolyn: Can you give us a good story?

Jason: You can Google the most recent one with HHS around COVID. That was a sophisticated attack. That's public information, so you can go out and find more details on that. There's lots of examples.

Starting an Adventure in Continuous Diagnostics Mitigation

Jason: We first started our adventure here in Continuous Diagnostics Mitigation five years ago. OPM was breached, within the first month that we started the program. So we accelerated that delivery to help them close some gaps.Eric: Modernization is more of a technical mechanism to get to the real core drivers of the program. Which in my mind are reducing the threat surface. Getting better visibility into what's happening in these agencies, on their networks, with their people. Improving response capability, and then the big one, always, for me, was the reporting.

Eric: They have to do FISMA reporting. I've talked to customers where they have dozens, in some cases in excess of a hundred people. They primarily focus on reporting so they can get the FISMA reporting done. The automation piece, but getting that whole civilian government view into what's happening across the civilian government is really important to them.

Jason: We've spent our time over the last five years really getting the fundamentals in place. Focusing on what assets are on these agencies. What's the posture of those assets? Focusing on users. Who are the users that are accessing?

Jason: What's the posture of those users? That's just really laying the foundation for what is the next step, which is getting into more advanced cyber operations. Automation, incident response, those types of things.

Eric: Jason, I've actually seen in the customers we're talking to almost a retrenchment. So defend brought on mobile and cloud capabilities. But COVID brought on work from home.  It has forced a lot of agencies to go back to the basic foundations of Continuous Diagnostics Mitigation. We started working on it years and years ago.

One of the Benefits of Work From Home

Eric: Who is on the network? What is on the network? What's happening on the network? When, at this point, we should have been dealing with data protection and how we're interacting with data.

Eric: I almost feel like work from home, it's been a huge boon. I don't want to say for the cybersecurity industry, but for the user, really. The ability to work from wherever has been great. And the direct to cloud model has been very attractive. We talked about this with our CEO back in the beginning days.

Eric: He made a comment about work from home during COVID. There aren't many, but one of the benefits was it really drove IT to make decisions quickly. That would have taken years of studying. They wouldn't have done it. Because they had to.

Eric: It almost seems like the Continuous Diagnostics Mitigation program participants are going back to the foundations again. Now that their people have worked from home. Are you seeing that?

Jason: Absolutely. That's one of these big drivers for change. With this new normal we're in and the changes they've made over the past six months or so, the attack surface is getting larger now. The areas where these attacks can come in are all over the place. There's different ways to access data now.

Jason: It's bring your own device in a lot of cases, unless the agency has issued that. There's just so many more drivers now for broadening out that attack surface. You have to go back to some of the fundamentals. Make sure that we understand who's there and what they're doing and how they're accessing the network.

Controlled Unclass Information

Jason: But then, we have to quickly shift. Because within this cloud model, data's all over the place now. It's not behind the wall like it used to be. That's really going to drive a lot of changes and pivots here in the next year.

Eric: It's interesting. I was on a call this morning with a senior officer in the Department of Defense. He was talking about how their people are accessing Teams today, Microsoft Teams, and collaborating from work from home devices. Which they really hadn't done prior to the pandemic.

Eric: One of my people asked a question about, so from your work laptop at home? He said, really, from any device, from any workstation at home. We have people accessing it from the only computer in their house. Luckily, I was on mute. You could have heard my scream of, "No!" echoing throughout my house where I'm working from.

Eric: But I'm like, you've got to be kidding me. It's obviously unclass, but it's probably controlled unclass information FOUO in many cases. They may be working on the same box that their son or daughter is working on in school. Theoretically, it could be a school Chromebook.

Carolyn: Does Continuous Diagnostics Mitigation deal with that? Does that violate Continuous Diagnostics Mitigation policies? Also, two part question here, it seems like working from home has really probably pushed the cloud. How realistic is cloud for most of our agencies?

Jason: That's a really good question. So, two parts. One, we've focused on the basics of just understanding what devices and who's on the network. We have to pivot toward enforcement now.

Corrective Operating System

Jason: If that device is also the home computer, if it doesn't have the right posture, then it should not be allowed on the network.

Carolyn: Are you seeing that a lot?

Jason: We are seeing a lot of the bring your own device type things, but agencies aren't in that enforcement mechanism yet.

Eric: Right posture could mean properly patched? Corrective operating system.

Jason: Properly patched, configuration settings, those types of things. When was your last vulnerability scan? Does everyone's home PC have a vulnerability scanner? Things like that. But the other part around the cloud is that agencies are pretty rapidly moving in that direction. Again, that's going to just broaden out that attack surface.

Jason: It makes it even more critical to put some of these enforcement mechanisms in place. So, looking at things like zero trust principles, zero trust architecture, and the principles behind that. It’s going to be very important to start looking at it within the upcoming year.

Eric: You're looking at Continuous Diagnostics Mitigation, how do you see the role of zero trust dovetailing in with CDM? I'm assuming you're having a lot more conversations about zero trust as an architecture. Maybe it’s the best way to describe it. That can be implemented under the Continuous Diagnostics Mitigation program. But I'd love to hear elaboration there.

Jason: We'll have to see if the term zero trust survives the hype cycle here coming up. But if you look at what it's comprised of, it's really a bunch of individual capabilities and technologies that are just kind of bundled together. You're looking at the identity of users, micro-segmentation of the network.

TIC’s Involvement  From a Continuous Diagnostics Mitigation Perspective

Jason: Things like network access control, where you're enforcing policy in order to get onto the network. Those underlying pieces and parts are what we're already putting in from a Continuous Diagnostics Mitigation perspective. Taking that next step into that enforcement mechanism and working with agencies to redefine and redraw their network boundaries to include those cloud assets. It’s going to be a big pivot here for the future.

Carolyn: What about things like TIC 3.0 and SD-WAN? Are they playing a part? I'm not going to lie. TIC 3.0 is a buzz word for me, so can you tell me what that means?

Jason: Trusted internet connection.

Eric: Version three. We're going to get it right this time.

Jason: Version three. It's actually a game changer really. And it's a recognition of everything that we've just been talking about with the pivot to the cloud with a lot more mobile devices out there. The paradigm that we have today, where every piece of network traffic has to all come back through a central point. It’s not going to be feasible, nor is it going to be practical.

Jason: The evolution of TIC to recognize that we can protect those assets without having to put this wall up. Then route everything through that wall, it’s going to be a big evolution and kind of a game changer. I'm hopeful we'll get it right this time. It's going to be necessary with all the changes that are happening right now.

Eric: It's interesting. The call I was on this morning, it was a Zoom. No video from the government. You couldn't hear the senior executive speaking. It was in and out, it was very digital, just cutting in and out.

Guidelines and Policies to Protect Your Internet Connection

Eric: What he said was, "I'm going through my VPN, hang on a second. Let me get off of VPN." He got off his VPN, which routed through some DODIN site. Got off his VPN, went directly to the cloud to Zoom gov, which is the platform we were on, which Forcepoint uses, and crystal clear. Much better. Why?

Carolyn: Is that cool? And is that safe? Sorry. Alarm bells.

Eric: No. NSA has Zoom gov as one of the trusted platforms. It's got end to end encryption. It is safe. Now, I don't know if the DOD organization is necessarily scanning that. I don't know if Forcepoint is, but it is an approved program. But the point being, it was direct to cloud. It wasn't going through, in the civilian speak, a trusted internet connection.

Eric: In the DOD side, it would be going through the DODIN. The DOD information network. All of a sudden, the bandwidth limits came off and we were based off of his home internet connection and the internet.

Eric: We could communicate, where we couldn't get mission done effectively, by not understanding him. I can't tell you how many times we asked him to repeat what he was saying. So going directly to the cloud is so beneficial. But you do need to understand it and protect it.

Carolyn: That's TIC?

Jason: That's TIC 3.0. It's putting some guidelines and some policy and use cases in place for how to protect those types of connections. Without having to all come back through one central spot. That's the crux of it.

The Redefinition of Network Management

Eric: It will have overlapped with CDM because you're trying to protect the enterprise under CDM. Theoretically, a TIC 3.0 initiative could be funded via the Continuous Diagnostics Mitigation program, correct?

Jason: Absolutely. We talked about what assets, what users, the network defense piece. Network management is certainly a part of it. Then getting into the data, data protection, data management. When you start talking about TIC, cloud, mobile assets, cloud assets, you're very much into that redefinition of what network management means.

Jason: What that network perimeter is, and again, bringing in some of those zero trust type principles, regardless of the term. And those underlying functions and capabilities there are going to be a big pivot.

Eric: There was a survey done. Carolyn, did MeriTalk do the survey? I'm trying to remember.

Carolyn: It was a MeriTalk survey.

Eric: 81% of CDM stakeholders stated that they give their agencies a passing grade for a Continuous Diagnostics Mitigation. What would you think?

Jason: I would give it a passing grade. Set aside timelines. These really are monumental changes that we're making within some of these agencies on improving their posture. I think it has been very successful. You look at some of the recent audits that have come out, there's certainly work to do.

Jason: But I think there was a GAO that just came out. It was last week or the week before. There were a lot of findings in there that spoke to the positive progress that's been made on CDM.

Eric: What would you fix?

Jason: We've been doing assets and users for the better part of five years now. Starting to at least get into pilots and proof of concepts for some of these future capabilities.

Their Crown Jewels

Jason: Looking at redefining that perimeter for cloud assets, mobile assets, and what does that mean? Whether that or something else. Just starting off with some type of pilot or proof of concept on those.

Jason: Go small and then broaden out, rather than focusing on sort of like a Big Bang go across everybody. The other piece is really around data. These agencies put a lot of thought behind what are their crown jewels? What are they going to protect in all expense?

Eric: Their high value assets.

Eric: It's finally time they're doing that. It's great, it’s a risk equation and they're finally looking at it.

Jason: Those are changing, too. Some of those are moving into the cloud. Making that shift over to focusing on those two things and doing it in small pieces for those that are ready to go, will be a good change.

Carolyn: As we wrap up here, I'm going to give you one more chance, Jason, to give me a juicy hack story. No?

Jason: No juicy hack stories.

Carolyn: Any last words from you, Eric?

Eric: A couple last words. We are seeing a lot of customers struggle with identity and credential management. What I call some of the first components of both CDM and zero trust. They dovetail very nicely together. I’m not yet seeing customers understand the data protection side. I’m not seeing the most advanced customers understand how people are interacting with their data, with the high value assets.

Eric: Once I know who you, Jason, and you, Carolyn are, I'm still trying to understand what you should be able to touch and everything else.

We’re Working From Anywhere on Untrusted Devices

Eric: But I'm really not in the behavior state where, okay, are these good behaviors of Jason once I've authenticated him? So I've got the microsegmentation down. Maybe I'm rolling out an IDAM or ICAM solution.

Eric: My hope would be that the pandemic hasn't pushed us back so much. That we don't get to, once you're authenticated on the network, we know who you are. You're accessing things you should be. Is it really you? What are your intentions?

Eric: What are the behaviors that you're exhibiting now versus prior? As the perimeter is dissolved, we're working from anywhere on untrusted devices and you name it. That's going to be one of the biggest changes. Personally, we can make use of cybersecurity to better protect the organization and its IP and its users.

Jason: I completely agree. That goes to not only changing the perimeter and changing what that perimeter is, focusing that on identity. But I think also on the data part as well. That is a huge shift. And again, we put the foundation there, so we know who the users are. We know what privileges they have.

Jason: Changing that paradigm to not just put a wall around something. But to actually have some real policy around, is this person, are they who they say they are and enforcing that. But then also, are they accessing the things that they should be accessing based on their unique identity?

Enabling by Protecting

Carolyn: It really speaks to enabling the mission, doing everything so we can get our jobs done no matter where we are.

Eric: It's enabling yet protecting is the way I look at it. We want to open up.

Carolyn: We have to protect it to enable it, though. If it's not secure, we're not enabling the mission.

Eric: There are a lot of cases where we're enabling the mission, but we're not necessarily protecting it. Including in the DOD and other places. Direct to cloud, cloud assets allow you to very easily skip over basics like security, basics, IT operations, capabilities.

Eric: Because IT and security, sec ops may not even know you have something in Amazon. I would not assume that enabling the mission is perfectly aligned and intertwined with protecting. We won't get into it today, but that's the whole shadow IT.

Eric: Cloud makes it very easy to do something. But who's watching what we're doing and who’s protecting what we're doing?

Jason: That's going to be one of the other shifts that has to happen. We have to open up not just from a mission perspective, but also from a data perspective within these organizations. What we see a lot of times is moving to cloud assets and some of those types of things. That's done by your IT operations, which is separate from your security. They're looking at different things, but not necessarily talking to each other.

Break Down Stovepipes and Barriers

Jason: There are some changes that we can make to break down those stovepipes and barriers that exist right now. To focus on data sharing within these organizations and really open up that architecture. So that we can have a complete picture on what's happening, where they are accessing it and all. And is it secure? Is it meeting our security policies?

Eric: We're a long way away from the initial mainframe days when IT controlled everything. We have to re rethink the way we secure our infrastructure. It's a different world.

Carolyn: Thank you, Jason, for the work that you're doing and thanks for joining us today.

Carolyn: To all of our listeners, thanks for joining. And if you are accessing data on a machine you shouldn't be, Jason's coming to get ya.

About Our Guest

Jason DeShano serves as the Chief Architect for the Continuous Diagnostics and Mitigation (CDM) portfolio of work within Booz Allen’s Cyber & Engineering group. Through his cybersecurity expertise, background in leading integrations of complex Information Technology projects.

With exceptional skills in architecture and designing solutions. He serves as senior leader within Booz Allen to drive new business within Federal Civilian clients. For advanced cyber defense capabilities and supports adjacent opportunities within the Department of Defense.