Matt House, who runs the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program, previewed today that his office is working on an effort to better explain how the CDM program supports the Federal government’s push toward zero trust security architectures, and specifically the Zero Trust Maturity Model (ZTMM) that CISA last updated in April 2023.
The CDM program provides Federal agencies with tools to monitor vulnerabilities and threats in their IT systems in near real-time. The program also provides agencies with a dashboard for tracking IT data, while also feeding agencies into a Federal Dashboard that gives CISA and the Office of Management and Budget (OMB) visibility across agency networks.
Speaking today at Palo Alto Networks Ignite 2024 conference in Tysons, Va., House was asked about how CDM aligns with existing zero trust cybersecurity frameworks or industry best practices.
“Zero trust is a big one for us,” he replied, “and one where we’ve spent a lot of time and energy of late thinking about how to thoughtfully recast what we’ve done over the last decade or so to more explicitly align with in particular CISA’s Zero Trust Maturity Model.”
“A lot of that is kind of recasting what we’ve already done just with kind of a different lens,” the CDM program manager said. “But it’s also helping us think about where we want to go and kind of understand from a different perspective where we might want to make future investments that are going to have the greatest impact.”
“In the near future, you’ll be seeing us be a little bit more explicit about how we map our capabilities to that maturity model and how we think a particular capability has a positive impact in supporting an agency’s zero trust journey,” including around various pillars of the CISA maturity model. “That’s been a big one for us,” he said.
Responding to the same question, House also explained that “we have a team that we work with internally that is focused very much as a primary responsibility on working with industry, kind of pulsing the marketplace, doing a lot of market research, doing a lot of evaluation and research and development.”
“That can be not just products, that can be standards,” he said. “One of the problems we have to deal with a lot is … varying products reporting the same information according to different standards, how do we normalize that, and be more efficient and normalizing that.”
“So, we have teams that kind of engage on those kinds of problems on a near-continual basis to help us also inform where it makes sense for us to make some shifts strategically,” House said.