A recent SANS Institute survey says that around 30 percent of federal agencies and contractors have not yet adopted the Department of Homeland Security‘s program for continuous diagnostics and mitigation, Federal News Radio reported Wednesday.
Jared Serbu reports that the results of the online poll from earlier this year also indicate that while those that have already implemented CDM are experiencing positive results, a significant percentage pointed to a lack of information on CDM from DHS or senior agency IT officials.
“The point is to pull together the questions of what problems you’re trying to solve, what are the technologies you need to solve that problem and how you build workflows and processes to create a feedback loop that actually creates better cybersecurity,” said Tony Sager, director of the SANS Innovation Center.
According to the report, most agencies that have joined the DHS program and received implementation funding under a potential $6 billion blanket purchase agreement are seeing improved cybersecurity or lower spending in IT procurement.
Other survey respondents indicated a need for continuous security metrics to identify areas that need further improvement based on their security gap assessments.
Serbu writes that the DHS program is still in the vulnerability management stage of its rollout, with most of the funding centered on managing the configuration of networks and many agencies wary of using the continuous monitoring-as-a-service offering.
Most of the survey respondents who have not yet adopted CDM in their agencies are looking for further DHS guidance on the program’s applications before actually implementing it, according to the report.
“We’re not doing these things just because they’re good things to do. We want specific improvements,” Sager said.
“Some of this is a statement of the relative newness of the program, and it also helps us be aware that we need to put in place a measurement system that helps us put in place the right technologies that help us manage the problem.”
Symantec is one of the sponsors of the SANS Institute survey.