As a former chief information security officer at two federal civilian agencies, I can't overstate the value of benefiting from another agency's trials, lessons learned, and successes when anticipating and preparing for your own endeavor. The CDM integration across 11 DHS organizational units will deliver a great deal of insight for other agencies, helping them avoid hazards as well as optimize technical implementation and project management to reduce information security risk.
GCN - CDM Phase 2: How to avoid déjà vu all over again
Posted February 3, 2015
Soon it will be déjà vu all over again, as Phase 2 also requires an assessment process. This time, the assessment will be for a set of requirements that include management of network access controls, people granted access, security-related behavior, credentials and authentication. Considering that Phase 2 builds on Phase 1, it’s vital the process be done right, and that agencies revisit their Phase 1 assessment strategy before they tackle it again.
To help agencies ensure their Phase 2 needs are thoroughly and accurately identified, here are four key recommendations.
Federal Times - 5 Ways to Make CDM Rollout More Effective
Posted August 12, 2014
Today we review the information agencies should be prepared to share in technical libraries/reading rooms with the pending release of Task Order 2 request for quotes (RFQ).
GSA plans to issue an RFQ for each buying group over the next nine to twelve months. However, agencies can do several things before that to ensure the optimal solutions for their needs are procured as quickly and effectively as possible.
Federal Times - On CDM, Avoid a 'Right Train, Wrong Track' Problem
Posted July 9, 2014
If you haven't carefully evaluated your current continuous monitoring capability, its level of maturity, and how to configure what you own for CDM, you run risk of going the wrong way, wasting time, and getting lost.
Good planning is the key to successful deployment of CDM. A well-grounded ISCM plan can limit disruptions to normal operations, and can prevent delays in implementing tools and processes needed to mature the agency's CDM capability.
FCW - Continuous Monitoring: Closer Than You Think
Posted June 23, 2014
How will agencies use those "free" resources from DHS? Will they choose products that fill missing gaps in their CDM migration, or could they unknowingly duplicate what they already own and end up with something they didn't really need?
By taking advantage of a product they already own and their employees are already familiar with, agencies could implement continuous monitoring more quickly than they would by introducing new products into the IT environment, which might add to unnecessary tool sprawl or, worse, duplicate what they already have.
GovInfoSecurity - Deploying a Continuous Monitoring Plan
Posted March 11, 2014
If an agency doesn't know what its most sensitive and critical systems are, then it's pretty difficult to know what to monitor. They could waste a whole lot of effort and resources unnecessarily. It has to start from a risk-based awareness of your own agency in its operations.
Savings generated by continuous monitoring can be applied to other IT security measures. The cost of implementing FISMA were substantial; continuous monitoring aims to reduce those quite a lot.
GCN - Got Your Security Monitoring in Gear?
Posted February 13, 2014
"I'm sure most agencies have a documented plan in place," said Patrick Howard, formerly chief information security officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. "But they need to look at it again in light of these new requirements."
Having the products available does not ensure a successful continuous monitoring program, Howard said. "I don't think technology is the problem. Where the program falls down with agencies is with the implementation."
Federal News Radio - Are You Ready For the Next Big Cyber Deadline?
Posted January 31, 2014
It's easy to grumble about what appears to be another paper-pushing exercise in light of so many others. But let's keep in mind, the Department of Homeland Security's CDM program is about far more than compliance: it swings the pendulum toward near real-time, proactive security, doing away with reliance on static infrequent, paper-bound reporting that can provide false notions of security.
Rather than merely appeasing a requirement that can withstand Inspector General scrutiny, the strategy should truly function as a CDM road-map and migration path - one that takes into account the agency's security maturation and existing capabilities, capitalize on investment with least amount of disruption.