In Washington D.C.’s cybersecurity community (and the entirety of Federal IT), the Continuous Diagnostics and Mitigation (CDM) program is well known and evolving – a bold and necessary effort to centralize the management of cybersecurity tools, services, and reporting across the entire Federal civilian enterprise. Just four hours down Interstate 95, where CDM is not so well known, the government of North Carolina is making a strong case for state-level adoption of the CDM model to create greater network visibility and strengthen cybersecurity across the state system.
At the center of NC’s effort is Maria Thompson, chief risk officer at the North Carolina Department of Information Technology (NC DIT). Thompson is no stranger to the CDM program – she came to NC DIT with extensive Federal government experience. In the U.S. Marine Corps and with a private Federal system integrator, she worked to help the Federal government with its approach to cybersecurity before taking the NC chief risk officer position in 2015.
MeriTalk spoke with Thompson to learn how the state implemented the CDM model, what challenges her team ran into, and advice for other states.
Breaking Down Silos with Leadership Backing
When she arrived in NC, Thompson quickly found the need for better visibility in the IT environment.
“When I came to the state, the first thing that I noticed was our decentralized model, as far as security, and being at the enterprise level and lacking that visibility across all the entities that we were purported to be responsible for securing,” she said.
Facing up to that important task, DIT decided to tackle the project head-on, and take a “CDM-like” whole-of-state approach.
Of course, that visibility didn’t come without challenges.
“We encountered some [pushback] on the technical side of the house, because we’re breaking down silos that have been in place because of how the network has been segmented in the past, so working through those technical glitches … we have to go into areas where we really did not have that visibility before,” she said.
But leadership support for the NC CDM project made a big difference in moving the ball forward.
“Most state employees want to do the right thing, and they just need the backing from leadership to say, ‘You know what? We’re going to focus on these vulnerabilities, knock these vulnerabilities down, and establish a strong program because we see the value and want to mitigate the risks,’” Thompson said.
DIT acknowledged the importance of change management and of not forcing extreme change all at once. So the agency took a different approach to how it implemented sensors across agency networks.
“If you already have a tool in place, we’re not going to rip and replace – we’re going to let your contract run out and when we go to renew, we increase the licenses for our solution and absorb the requirements for that particular agency,” said Thompson.
North Carolina opted to use Tenable sensors, which supported the enterprise-level view and continuous monitoring capability the state was aiming for.
As new agencies come on board, Tenable’s role-based access control (RBAC) allows NC DIT to expose as much or as little of the Tenable.sc (formerly SecurityCenter) console as appropriate. Agencies that already have a relatively high amount of maturity when it comes to Vulnerability Management (VM) were able to give full access and the ability to continue business as usual. They also offered their expertise and assistance from years of maintaining a Tenable.sc console themselves. Agencies with little/no maturity were able to provide a starting place with templates and fully automated scanning, so that the agency does not even have to log in to get their reports. Tenable.sc then provides NC DIT the tools to guide those agencies along the path to further their VM maturity.
NC DIT was able to work with Tenable.sc’s malleability to stretch it across complex infrastructures. By using Tenable.sc, NC DIT was able to leverage the flexible deployment options available. And by covering all assets, the centralized console is able to ensure compliance across the board.
With a strong implementation, Thompson and her team succeeded in bringing the state’s cybersecurity risks into the light.
“The agencies understand that they need a solution to assess their environments, and the fact that we’ve taken an all-of-state approach and received funding to appropriate the money to pay for that made it a bit of an easy sell,” she noted. “The second part is enabling them to be part of the process … we’re not saying you’ve lost the ability to assess your own environment, we are giving you a capability that you can use as needed, that will feed the enterprise picture.”
The CDM model has also enabled DIT to take a risk management approach to patching, and take care of the most important threats first.
“If we can take a targeted approach to how we remediate our environment, such as looking for those key things … it will allow them to make a decision much quicker on which vulnerabilities we should be targeting first, and creating that living document roadmap for patch management,” Thompson added.
“We’re definitely making progress, and I’m happy with where we’re trending,” she said.
With the implementation in place, Thompson shared where she hopes to help take the CDM model next in the state.
“The next step is to fine tune our metrics. What I don’t want to do is to be another tool that spits out reports and they’re not actionable. It needs to be able to give the agencies a roadmap on how best to approach each vulnerability.”
NC DIT also has further opportunities to expand the program, as the department provides IT support to many of the local governments and education systems in the state.
“That’s something that is definitely one on my strategic roadmap, is to pull them in. We don’t have funding to support that as yet, but there may be pieces of it we’re able to accomplish,” she said.
Advice for Other States
With the lessons learned from North Carolina’s deployment of a CDM model, Thompson has some advice for leaders in other states on how they should look at the program.
First and foremost – IT leaders need the budget and leadership backing to make the program as effective as possible.
“The first thing is funding. I’ve spoken to my peers, and it’s always about the funding. You make decisions based on the funding, you scope your programs based on the funding, and it’s a difference of whether you go whole-of-state, or whole-of-executive branch agencies. The funding is a key thing,” Thompson emphasized.
And while it may be the first instinct to explain benefits to security professionals that will get excited about CDM, IT staff also needs to present the benefits to leadership and other stakeholders and leaders, and to present them in clear and concise language.
“I need to evangelize it to the higher leadership group, because it’s definitely being seen at CISO and security liaison level, but I don’t believe that is making its way to where the higher-level folks are able to be brought into discussions on this,” she said.
Tenable’s Public Sector VP, Bill Kurtz is confident that the potential cost savings of a CDM model will get the attention of state-level leaders: “CDM has been a very successful program at the Federal level. Taking a similar, more centralized, approach to the acquisition of cybersecurity tools like Tenable will enable state governments to realize not only a proven, viable framework for managing security risk, but the model can also provide states with budget efficiencies to free up funding for other programs.”
On the technical side, states can look to the Department of Homeland Security and the Federal CDM program for a model as well.
“For states and cities looking to set up similar programs, our requirements and our architecture could be helpful to them, and we are happy to share that information with those communities,” Kevin Cox, CDM program manager at DHS, told MeriTalk.
A key piece of advice from Thompson is to avoid taking every detail from the Federal version of CDM. Instead, she said, states should focus on the most relevant pieces.
“Think of it as a framework. I would liken it to the adoption of the NIST Risk Management Framework – when you’re utilizing the controls, you may not necessarily adopt all of them, because they may not be germane to your environment. I would say, take a look at the Federal CDM program, and tailor it to your environment,” she said.
CDM deployment also required reaching across silos within the IT team, and taking an enterprise-level approach to gain enterprise-level benefits.
“Establishing what CDM is in an organization and how these different pieces interconnect to create that entire picture is key,” said Thompson. “A lot of times, we in the security teams tend to focus on just the security aspect of it – the deployment of the tool, the reporting, and so on – but we’re not pulling in those various stakeholders such as our desktop group, who are responsible for the patching piece of it, or the asset inventory teams, and making sure that when they go off and do their projects, they are pulling in the security team to be part of that, so we can create that strong lifecycle for CDM.”