This post is a summary from a session at Adapt 2024: Reimagining Our Federal Cyber Future — our second annual one-day conference dedicated to unpacking the complex challenges facing Federal IT, cybersecurity, and operations teams.
CISA and Marine Corps leaders discuss how they manage their evolving asset landscapes.
Federal agencies’ software asset ecosystems aren’t just growing, they’re rapidly changing. Whereas many assets used to be well within agencies’ traditional perimeters, expanding cloud and mobile infrastructures are causing organizations to rethink how they inventory and protect assets.
“We used to want to be ‘on the box’ and we still want to be, meaning we’ve rolled out a lot of agents, a lot of traditional software asset management technologies,” Richard Grabowski told attendees at Adapt 2024.
“We’re seeing more and more, it’s going to be ever more increasingly important to be ‘on the wire’ as well. As IT evolves and you get into the cloud, you get into mobile, there have to be different approaches you have to take. [CISA has] been looking to modernize the program by going after different asset classes and employing different methodologies.”
Grabowski, the deputy branch chief of capability implementation and the deputy program manager for the Continuous Diagnostics and Mitigation Program (CDM) within CISA, maintained that the “tried and true familiar products” the agency used in the past were no longer sufficient for modern software asset management (SWAM).
“It’s ever more important to not only understand your vulnerability exposure, but also what’s on your network because you can rapidly triage based upon those inventories,” said Grabowski. “We’re trying to be that second set of eyes for agencies by using comprehensive enterprise software inventories to help generate awareness and partnerships with agencies on risk mitigation.”
Know your network, know your software
David DiEugenio, CIO of the U.S. Marine Corps Recruiting Command, believes modern, comprehensive, yet simplified SWAM solutions and processes are essential, especially as tool sprawl continues to grow.
“We had multiple tools with multiple presentations of information, and a limited number of folks with the skillset and understanding to be able to reconcile that,” he said. “We’ve started to modernize and work through some things more recently to really get to be not quite a single pane of glass, but almost. And so there’s a whole lot less reconciliation, and we’ve become much more efficient and effective.”
Modernization efforts like DiEugenio’s are about evolving processes so teams can become more agile while their agencies become more secure. The key is to focus on what’s most important.
“Know what’s on your network, and know the software running on your network,” he advised. “Our ability to understand that really makes all the difference. If you don’t really know those two things, then there’s a ton of vulnerabilities and potential threats that are out there that you can’t track and manage.”
The next evolution of the CDM program
CISA is also modernizing its CDM program to meet the requirements of a rapidly expanding and evolving software asset landscape. “The program has been around since 2014,” said Grabowski. “We’ve witnessed a pretty significant evolution of not only the tools that are out there, but also innovative ways to do data engineering. And sometimes over time you can have things that are better, faster, and cheaper at a much more expeditious timeline.” Grabowski said CISA wants to “take advantage of those innovations.”
As the CDM program progresses, its importance to SWAM and its ability to detect potential threats across organizations’ entire ecosystems will strengthen. “We’re only scratching the surface right now in terms of software asset management,” Grabowski explained. “(As) we get into things like SBOM (software bill of materials), build materials, and open source security…we can have a better understanding comprehensively of what the actual threat landscape looks like.”
Data sharing leads to better insights and visibility
Indeed, data will drive new opportunities for asset visibility, driving new insights into potential vulnerabilities and how to address security gaps. Grabowski said CISA is becoming more data-centric and less tool-centric, while explaining that the agency is collaborating with partner agencies that share their data with the federal organization. This data helps improve inference engines to provide CISA’s customers with more precise asset management recommendations.
Data sharing will also help agencies address shadow IT challenges. The more information organizations have, the more likely they are to uncover the blind spots within their environments. “We can partner with a FedRAMP, we can partner with some of our other subdivisions here who have a lot of the external scanning data to present a holistic profile so that there’s only a sliver of what’s unknown,” said Grabowski. “It’s about making sure the right data is being analyzed properly and being shared at machine speed.”
A single platform for mission success
Traditionally, agencies have attempted to fix their asset management challenges by over-engineering them and investing in too many point solutions. But both Grabowski and DiEugenio warn that having too many point solutions only muddies the waters when trying to gain a good sense of what’s happening on an agency’s network.
Organizations can change that approach by making smart investments in the right technology and then efficiently applying that technology wherever it makes the most sense. For example, instead of re-engineering existing, mature tools that already work well, Grabowski recommends integrating those tools into a modern “enterprise-sensing platform.” This requires an asset management platform that works well across the board, regardless of the disparate tools an agency may already be using.
Narrowing SWAM down to a single platform will also help government employees focus on the mission, which is what matters the most at the end of the day. They will not have to worry about learning or keeping up with multiple systems. As such, they will have more time to focus on what DiEugenio referred to as “unity of command and understanding”—the Marine Corps’ unwavering commitment to the single objective of serving its country.
Narrowing in on their most important assets and where they are on a network will help agencies reach their own objectives, said DiEugenio. “Focusing on the high-value assets and prioritizing those efforts (will lead to) a better outcome.”
