by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : July 2015
14 GCN JULY 2015 • GCN.COM What your agency can learn from the CDM rollout at DHS BY PATRICK D. HOWARD INDUSTRY INSIGHT IT HAS BEEN a long 18 months since the Depart- ment of Homeland Security launched the Continuous Diagnostics and Mitiga- tion (CDM) program in September 2013. Some of the fruits of that planning might soon be coming into view. DHS is first in line to begin implementing the program’s Phase I capabili- ties, which include hard- ware and software asset management, configuration management and vulner- ability assessment. With DHS as the guinea pig, this presents a unique oppor- tunity for your agency to learn from another’s experi- ences before undertaking your own. As a former chief infor- mation security officer at two federal agencies, I can’t overstate the value of learn- ing from another agency’s trials, lessons and successes when anticipating and preparing for your own en- deavor. The CDM integra- tion across 11 DHS organi- zational units will deliver a great deal of insight that could help other agencies avoid hazards and optimize technical implementation and project management to reduce information security risk. Let’s consider the areas in which your agency might benefit: 1. Technical implementa- tion. Pilot projects are typi- cally the most effective way to launch projects of this magnitude. DHS will fast- track the technical project at one of its organizational units, and the results will serve as an instruction set of sorts for the rest of the department — and a pro- totype for the agencies that will soon follow. Other benefits include know-how on integrating Phase I products, overcom- ing issues associated with connecting to the federal IT Dashboard and learning how best to aggregate and normalize sensor data. Similarly, the application programming interfaces and integration packs that DHS develops could be repurposed and made avail- able to other agencies. 2. Project management. Understandably, there’s a great deal of interest in knowing what effort and resources will be needed for implementing the sec- ond task order. Rather than relying on initial labor and timeline estimates, agencies could draw on DHS’ actual expe- rience to gain a far more realistic idea of the staff required and the project’s duration. Details about how the ac- tual implementation varied from the planned project estimates will be useful to both agencies and vendors. Other lessons from the implementation include how to get employees involved and the types of communications and reporting that are most effective for managing the process. 3. Risk management. Once the CDM capabilities are in place, agencies can see how DHS is using the system outputs to manage and low- er risk and how it’s making progress on achieving ongo- ing authorization goals. That insight could include the metrics and processes DHS devised for scoring and prioritizing risk. It is a great opportunity to show how CDM moves from a compliance-based, three-year cycle of risk management to one of ongoing, real-time informa- tion security. The results will help agencies build support for CDM through- out their organizations and position the program for success. That cycle of feedback also benefits vendors by helping them refine and improve the products and services associated with their solutions and learning how they can best train and assist agencies on their use. Ultimately, the CDM program’s success hinges on communications among DHS, other agencies and vendors. We all have a stake in this information security partnership. By sharing the right informa- tion and feedback at the right time, we can learn and adjust — and make improvements as we go forward. • — Patrick D. Howard is former CISO at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. He is currently program manager for CDM and CMaaS at Kratos SecureInfo. Details about how the actual implementation varied from the planned project estimates will be useful to both agencies and vendors. 0715gcn_014.indd 14 6/29/15 9:06 AM