Navigating the vast digital ocean of today's ever-changing information technology can feel akin to leading a fleet of ships to a faraway destination. In a large government organization, the challenge is managing this fleet to safely journey through a sea teeming with potential cyber threats. The Centers for Medicare and Medicaid Services (CMS) has been charting a course for the last decade and has become adept at ensuring safe passage for its FISMA systems. For this article, we will look at the history of CMS Cyber risk management and how the Security Data Lake (SDL) has become the compass and map, respectively, guiding CMS on a continued course of cyber risk management (CRM) modernization.
CMS began planning this voyage a little over a decade ago. At this time, CMS IT security was decentralized and spread across several groups within the Office of Information Technology (OIT). Essential cyber risk management functions were managed using 11x17 Excel spreadsheets and Access databases called KISS. Outside of its 1/3rd audits, CMS possessed limited visibility into its federated network of approximately 48 data centers. Any change in IT security procedures or introduction of new technology at headquarters required a memo from the CIO, along with several meetings with data center teams and component leadership, in order to secure buy-in. Almost all processes were manual and required teams across components to be on the same page before any discussion of modernization began. Charting a new course for the fleet was a challenging task. Luckily, we had several CISOs, whom each ushered in new ways of thinking and pushed the fleet to make changes in how the agency performed CRM.
The CRM Journey Begins
The CMS CRM journey began almost a decade ago with the Enterprise Vulnerability Management (EVM) program. This was the first point in CMS developing its CRM compass, directing its ability to identify, assess, and mitigate cyber threats. The initial cohorts for the EVM program were rolled out over a three-year period and gave CMS its first glimpses into identifying its IT risk. One of the big wins for the program was its discovery of a datacenter that was running a base Windows operating system on numerous systems with no service packs. The program modernized how CMS managed its vulnerability and patch management, identifying efficiencies in how it assessed and mitigated threats. Over the first three years of the program, it not only improved the agency’s security posture by 90% but also became the north star of the agency's future programs and associated deployments. Over the next several years, OIT began to merge many IT security functions under one organization, the Enterprise Information Security Group (EISG). This realignment began building the foundation of the CMS CRM vision as EISG matured and assimilated other areas related to policy, training, privacy, and audit compliance. Within a short period, the functions began to develop a collective focus between all. This led the group to several internal tool deployments that promoted efficiencies in how risks are identified, processed, and communicated. These changes strengthened the foundation of this emerging program and reinforced the development of future initiatives in the areas of enterprise governance, risk management, and compliance. The group would later be renamed the Information Security and Privacy Group (ISPG), encompassing all of its roles in managing IT security and privacy risks.
ISPG Initiatives
Under the beginnings of ISPG, the CRMP began to grow and modernize at speed. The group began to implement additional tools and develop partnerships with data centers that led to the development of the CMS Cyber Integration Center (CCIC). The CCIC was the first initiative within CMS to centralize all of the agency's CRM functions. With the addition of the phase one tools from the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program, ISPG began to peer into CMS’ endpoints and their supporting software, identifying IT risk in near real-time. In parallel with these modernization efforts, ISPG started several initiatives such as Cybersecurity and Risk Assessment Program (CSRAP), Ongoing Authorization (OA), CMS CDM, and Cyber Risk Reporting to take advantage of the information gathered from these tools and the CCIC. These efforts propelled CMS into becoming a beacon for other HHS operating divisions and government agencies to follow. The CMS CRMP now ingests, processes, analyzes, and reports on large amounts of data sets that support key agency programs and initiatives. As CMS continues to drive CRM to become more proactive in how it handles risk, it recognizes the need for the implementation of a SDL.
The CRMP SDL
For CMS, the SDL will be a centralized repository designed to store, process, maintain, secure, and govern large amounts of structured, semi-structured, and unstructured logs, telemetry, events, or other data sources relevant to CMS’ CRM goals. These attributes make the SDL critical to the CRMP as new capabilities and their resulting tools are implemented organization-wide, further expanding ISPG’s visibility. The SDL will allow CMS to easily expand its security datasets by pooling data from multiple sources (existing and future), offering a scalable holistic view of the enterprise It is important to note that the SDL is not a business intelligence and dashboarding tool, or a data warehouse. It supports and complements these tools to allow various CMS security teams to access, analyze, transform, and research a full-fidelity corpus of data in a more efficient and highly scalable fashion. Implementing the SDL in the CRMP is the first step in dramatically enhancing the effectiveness of CMS’ CRM while building the foundation for future strategic initiatives focused on Zero Trust, Risked Based Program Management, and meeting OMB memorandums.
Conclusion
Modernizing cyber risk management is a complex, ongoing process that requires a strategic approach, investment in technology, and a commitment to creating a culture of security. CMS has demonstrated a commitment to this over the last decade. In an effort to continue this modernization of its security program, CMS plans to remain adaptable to the digital sea's ever-changing conditions. CRM provides the strategic planning of the direction of the journey, and Security Data Lakes offer the map to navigate through the stormy seas of cyber threats. For CMS, this modernization is not just about protecting data but also about safeguarding the trust and security of the citizens it serves.
About the author: Omar Nolan is a member of the CRM Team. He is a contractor with the Information and Security Privacy Group (ISPG) Division of Implementation and Reporting (DIR). He has supported CMS for 13 years in various cybersecurity capacities.
Learn more about CMS' risk management modernization efforts with the Cyber Risk Management Team