The Next Chapter in Federal Cybersecurity

I recently appeared on a panel for Federal Times at their “The Next Chapter in Federal Cybersecurity: Continuous Monitoring & Identity Access for Secure Networks” breakfast event. I was joined by Deborah Gallagher, Director, Identity Assurance & Trusted Access Division, Office of Governmentwide Policy, GSA and Paul Grant, Strategy Advisor for Cybersecurity, Defense Department, Office of the CIO.

We didn’t get through all the questions so I thought I’d continue the conversation here.


What are you observing in terms of federal demand for continuous diagnostics and mitigation (CDM) and identity/credential/access management (ICAM) solutions? What are the trends and what are the most active and least active agencies in the federal market?

DLT Solutions has been marketing information security solutions for several years oriented to the SANS Top 20 Critical Security Controls. In fact, we maintain a matrix that identifies how each product or solution supports each critical security control.

We are definitely seeing an increase in demand during the past year versus prior years. This is being driven by several factors:

  • An increase in security incidents at all levels and branches of government
  • The executive branch’s focus on measuring agencies' information security posture
  • Increased budgets for cybersecurity

There is also an increased interest in cybersecurity education. By that I mean we’ve seen more consulting with our information security sales engineers and higher attendance for real-time and on-demand webinars.

The CDM focus on the most basic controls - asset management, configuration management, and vulnerability assessment - has been, I believe, an accelerator for the process of improving information security because it focuses on the basics.

How are agencies approaching the vendor community for their CDM and ICAM needs? Are they following similar acquisition strategies and adopting similar requirements or do you see much variation in the market?

It's a mixed bag really. We started receiving procurements generated through the CDM BPA several months ago. Other sales continue to come through systems integrators who have been contracted to implement CDM solutions. Some of our sales are directly to agencies that are looking for an upgrade for a specific product that has been in their security architecture for some time.

Although I expect the CDM BPA will become popular especially because of the financial incentives, we have not seen a strong ramp up yet. This may be from a lack of familiarity among buyers with the details of the BPA and the Department of Homeland Security program. Or it may be that agencies already have products in place for the basic controls.

How is the commercial technology sector evolving in terms of the CDM and ICAM solutions they are offering?

Let's face it, the cybersecurity challenges that we are experiencing today and the techniques and solutions that are evolving in response, have appeared very rapidly when compared to familiar, more mature IT building blocks like databases, email, storage, ERP systems, information technology infrastructure library (ITIL), and the like.

Information security staffs have to develop an approach that fits their own unique needs, choosing from among a vast number of point solutions and suites. And they have no control over what the offense will develop next month and for which they must be able to respond.

I believe that the most successful solutions are becoming those that are based on open standards so that open standard products can be quickly integrated into the customer's information security suite.

Our ForeScout OEM partner is a good example. 11 of the 17 recipients of the CDM BPA feature ForeScout CounterACT as a key component of their CDM solution. ForeScout provides real-time visibility and control of all end points on the network, and what makes ForeScout such a compelling choice is that it has been developed so that it can be deployed without rearchitecting the network and integrates with 100% of the existing network infrastructure.

How are mobile and cloud requirements changing the landscape in terms of CDM and ICAM solutions being offered?

Mobile devices were a really difficult challenge two years ago, but I believe are less so now that solutions have evolved to address the range of mobile device operating systems, as well as, new mobile device management approaches to authentication and to controlling loss of devices and sensitive data. Android has been a particularly attractive target for bad actors because of its wide proliferation. Industry has responded though and security products have been developed and deployed to better secure Android devices.

The cloud initiative will definitely have a positive impact on utilization of managed security services (like Symantec’s) as these services can be readily implemented in a cloud-services environment.

With respect to ICAM, the Federal Cloud Credential Exchange pilot for citizen facing systems is interesting.

How would you assess the sophistication of federal customers in terms of understanding their CDM and ICAM requirements and their market research as they look to fulfill those requirements?

We see a range: requests for a specific product from knowledgeable customers, to requests to propose a solution, to a set of requirements for which the agency staff may not have a clear idea of what is available. As providers of these technologies, we get a lot of satisfaction in working directly with customers to help them define the solution that best fits their needs.

Where are the biggest gaps and challenges remaining in terms of federal CDM and ICAM implementation?

I think the biggest challenge for agencies is the tradeoff they must make with limited budgets and multiple IT initiatives.

  • Do you short change your mission critical systems to bring your information security systems into compliance?
  • Do you upgrade your information security systems before or after you consolidate your data centers?
  • Do you train your existing break-fix IT technicians to perform CDM effectively or do you hire in staff with proven skills and experience – if you can even find and afford them?

On the technology or product side, the biggest gaps are the need to continue to embed ever more effective automation into products; delivering products that use open standards so that they will more readily integrate in existing architectures; and simplifying implementation tasks and migration tasks where migration of CM or identity information, for example, is a consideration.