The Government Accountability Office (GAO) has recommended that the Department of Homeland Security (DHS) improve its implementation of the Continuous Diagnostics and Mitigation program by ensuring that contractors configure their cybersecurity tools to provide unique identifiers for hardware on agency networks.
GAO made the recommendation after it found that CDM tools used by three selected agencies – Federal Aviation Administration (FAA), Small Business Administration (SBA) and the Indian Health Service (IHS) – did not offer an accurate count of the hardware on the agencies’ networks, according to a report published Tuesday.
The congressional watchdog found that two of the three agencies had deployed CDM tools to manage software on their networks. The selected agencies were also found to have inconsistently used such tools when it comes to comparing configuration settings against agency-specific variations and federal core benchmarks.
According to the report, the agencies cited challenges with regard to the implementation of the CDM program, including addressing issues with integrators and planning for staff and funding resources.
GAO said DHS had initiated steps to help address such challenges. These include monitoring risks of insufficient resources, enabling agencies to comment on contractor performance and holding customer forums to allow agencies to air their concerns.