Governance & Risk Management , IT Risk Management , Legacy Infrastructure Security
Expansion of DHS Continuous Diagnostics Program ConsideredLegislation Calls for Expanding Program for Use at Federal, State and Local Levels
Bills now being considered in the Congress would make the Department of Homeland Security's Continuous Diagnostics and Mitigation Program available to all federal agencies and provide services to state and local governments to help them address cybersecurity challenges.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The House version of the bill introduced this week, Advancing Cybersecurity Diagnostics and Mitigation Act, is sponsored by John Ratcliffe, R-Texas, and Ro Khanna, D-Calif.
Senators John Cornyn, R-Texas, and Maggie Hassan, D-N.H., introduced a similar bill in July.
The legislation would codify into law the Department of Homeland Security's Continuous Diagnostics and Mitigation Program and would make it more broadly available to units of government at all levels.
When DHS first introduced the program in 2013, some agencies, such as the U.S. Department of Defense, and the intelligence community joined to help develop its capabilities, but the program was not widely deployed across the federal government (see: Federal Agencies Rush to Inventory Key IT Assets).
Current Status of Program
The Department of Homeland Security now makes the Continuous Diagnostics and Mitigation Program available to certain federal government agencies as well as the military, and many of these departments are currently implementing various phases of the program, according to a 2018 report from the U.S. General Accountability Office.
The program uses a series of sensors and tools to paint a more accurate picture of an agency's critical hardware and software assets. That data is then fed back to the Department of Homeland Security, which then helps create dashboards and reports to ensure that the agency is following proper cybersecurity practices, such as making sure that employees and contractors use appropriately secure methods to access federal systems.
The CDM program can also send alerts about vulnerable systems that need repair or patching, according to DHS.
Under the proposed bills, the CDM program would be expanded to all federal agencies, plus state and local governments would gain access to various tools and reports that Homeland Security would oversee and produce.
Any agency using CDM would need to create policies for reporting cybersecurity incidents and also submit reports for keeping the program up to date with the threat landscape, the bills propose.
The proposed bills do not describe how the expanded program would be funded.
"As cyber threats continue to increase in frequency and complexity, we must constantly work to enhance our nation's cyber defense capabilities," Ratcliffe says.
Khanna notes: “The technology is there: We just have to ensure our agencies have the necessary tools to defend against hackers and cyber threats. A strong CDM program will be instrumental in that effort."
A Reactive Approach?
Some security researchers contend that the proposal is a reactive approach to countering the increase of cyberattacks that does little to address the present security concerns.
"Anything the government does, such as the proposed bill, is a reactive approach to cyberattacks and threats," Joseph Carson, chief security scientist at security firm Thycotic, tells Information Security Media Group. "They do not necessarily improve cybersecurity nor reduce the threats. However, the purpose is to ensure that the victims of cyberattacks have the sufficient tools needed to respond and reduce the impact."
The weakness of cybersecurity practices within the IT systems of local governments have made them susceptible to attacks, some security experts say.
In August, for example, a ransomware attack crippled the systems of 22 local government agencies in Texas (see: Texas Says 22 Local Government Agencies Hit by Ransomware ).
The latest example of threats to local governments came this week when the mayor of New Bedford, Massachusetts, held a press conference to describe why the city did not pay a ransom after it fell victim to a ransomware attack (see: A Ransomware Tale: Mayor Describes City's Decisions).