While the Cybersecurity and Infrastructure Security Agency (CISA) developed its Continuous Diagnostics and Mitigation (CDM) program in 2012 with a monolithic software architecture, a top CISA tech official said today the program is looking to evolve to become “a lot more flexible and modular.”
Richard Grabowski, the deputy program manager of the CDM program, explained at the Axonius Adapt 2024: Reimagining Our Federal Cyber Future event in Washington that the program is evolving to ensure cybersecurity is advancing at pace with current threats.
“In terms of how we’re trying to evolve, we’ve been building and buying very monolithic types of tools,” Grabowski said, adding, “and what we started to see is that especially as budgets start to tighten up, there’s an ever-increasing need to be very flexible – go find the data where it is and reuse it for multiple purposes and be efficient about it.”
“We’re only scratching the surface right now in terms of software asset management,” he added.
Software asset management – otherwise known as SWAM – increases visibility and control over software assets on networks. Grabowski explained that traditional package managers have an understanding of “what Windows operations might tell us,” but CISA is now looking to focus on other key SWAM areas such as software bills of materials (SBOM) or open source security.
These other SWAM areas, he said, will “help enrich the data of the software in place that the program does have, so that we can have a better understanding comprehensively, what [agencies’] actual threat landscape looks like.”
The CDM program “is now becoming more of a data-centric type of activity beyond just a toolset activity,” Grabowski said.
One way that CISA’s CDM program has been successful is by “getting top-down buy-in” and ensuring that the CDM tools are “mutually beneficial for the agencies as well,” Grabowski explained.
“You have to really let them know that this is not just for us. It’s not just for CISA and CDM – this is actually for your benefit. And the more that we can tie to their use cases and their priorities, the better,” he said.
David DiEugenio, the chief information officer at Marine Corps Recruiting Command, agreed, adding that getting buy-in and “simplifying understanding” for non-technical folks is critical.
“Certainly, if you’re working in the Federal space or DoD – or selling to – it’s not uncommon to find very senior folks that are … I call them ‘generals’ because they generally know about a lot and may or may not have the experience or the exposure in the technology arena,” DiEugenio said. “But the ability to simplify and communicate and articulate the priorities and what you’re trying to accomplish really goes a long way.”