On 7 November in Washington DC, SANS held a Department of Homeland Security Continuous Diagnostics and Mitigation (DHS CDM) Award Workshop. If you are not familiar with DHS CDM, details can be found here but here is a quick summary:
The Department of Homeland Security (DHS)'s Continuous Diagnostics and Mitigation (CDM) Program has proposed three phases for consideration to be incorporated into future Information Security Continuous Monitoring (ISCM) phases. The first phase has been conceptually adopted as the ISCM Phase 1, and the DHS CDM Program is conducting further research to validate and define the subsequent two phases. The DHS CDM phases include:
CDN is a 5 year program budgeted at $1.2B. In September DHS awarded the first phase - but was immediately impacted by the government shutdown.
I've seen a lot of these large BPA/IDIQ contracts get announced to huge fanfare, only to end up as failures when little of the allocated funds were ever actually spent, and most of what was procured ended up as shelfware. Since the CDM program shares a lot of DNA with the Critical Security Controls, SANS believes that by helping the CDM program succeed the overall level of implementation of the Critical Security Controls at government agencies will increase - a good thing for cybersecurity.
So, the goal of the day was to give the 250 government attendees (with another 500 or so watching the Internet simulcast) the information they would need to choose the best products and services from the CDM contract.
I kicked the day off talking about focusing on securing government systems and data first, then demonstrating FISMA compliance - not the other way around.
Jane Lute of the Council on CyberSecurity led a panel discussion with Gene Dodaro, the Comptroller General and head of GAO; and John Streufert from DHS, the moving force behind the CDM effort.
We then had 4 vendor "shootout" panels for each of the major areas of Phase 1 of the CDM award:
- Security Information/Event Management: IBM, McAfee, RSA
- Vulnerability Assessment: Lumeta, McAfee, Qualys, Tenable, Tripwire (nCircle)
- Endpoint Monitoring: ForeScout, IBM, Symantec, Trend Micro
- Integrators: CSC, IBM, KCG, ManTech
Alan Paller then presented three examples of success in real organizations implementing the Critical Security Controls in general and the principles of Continuous Diagnostics and Monitoring in particular. I closed out the day with a "Call to Action" - making real reductions in vulnerabilities quickly as the most important first step in improving the level of security at Federal Government systems.
Full agenda here, and you will find a link where you can register to watch the archived webcast.