But as we went into the large federated agencies, many of the organizations within them had their own solutions in place. In some cases, the common solution approach worked well. In other cases, agencies had the perception that CDM meant “rip and replace.” We didn’t want to be that; we wanted to make sure that we were delivering to the needs of each agency. So when we competed our new acquisition approach — the DEFEND task orders — we built in flexibility and we built in much greater scalability to support the federated environments. We also built in the ability for the agencies to use the vehicle themselves.
It’s really helped us build a relationship with each of the agencies because now we’re meeting them where they are. And as long as they have a solution that meets their requirements, we can work with them. It does build in additional work on the integration side, but that’s on us to figure out.
FEDTECH: Are any agencies to the point where they can actually use a dashboard to get information?
Cox: In the first quarter, we had four agencies with data feeding up to their new agency dashboard, so the agencies were able to see specific assets and specific vulnerabilities. Today, of the CFO Act agencies, 12 have the dashboard deployed; for a few we’re still validating the data feeds. We are finding the dashboards are scaling the way we need them to.
Especially in the big federated agencies, we are getting much, much better performance in terms of the data reporting. Before, data sometimes took days to process through these federated agencies; now it takes minutes in some cases, hours overall. This really gets us to the promise of CDM, moving ourselves away from having agencies manually report on their environments to having automation in place to support awareness.
DIVE DEEPER: Why federal officials are calling for greater network visibility following recent hacks.
FEDTECH: How does CDM help prevent or mitigate something like the SolarWinds hack?
Cox: First of all, we need each agency to be able to understand from a continuous monitoring standpoint what its environment looks like. That is so fundamental to everything else that occurs thereafter. For an agency to be successful in thwarting an adversary from getting in — or if an adversary does get in — the agency must have knowledge about what it needs to look for and where it needs to go to get the adversary out. By giving that basic visibility, the CDM tools have been extremely important for the agencies.
We know the adversaries are trying to get into our networks on a second-by-second basis; millisecond-by-millisecond, really. We want to deliver sensors around privileged access management, so that when a privileged user does take an action on the network, we can understand what’s normal behavior versus anomalous behavior. And when something anomalous happens on the network, data is feeding into the security operation center, telling the security operations analyst to take a look into this particular incident or this particular activity, because there could be an incident there. And that’s one way we help from a response to a SolarWinds–type activity. But more important, it’s also what helps us get in front of those types of activities because it allows faster response and earlier detection. And we can get in front of an adversary much more quickly.