Continuous Diagnostics and Mitigation (CDM) is the path forward for improved security of government networks. The Department of Homeland Security has been a major driver of CDM in the federal space, and GovTransformer reached out to DHS for their take on progress to date.
What follows below is a background interview conducted by GovTransformer through by DHS Public Affairs. These responses come directly from DHS but are not to be attributed to any specific executive.
GovTransformer: Please describe CDM, and how it advances online security.
DHS: The Continuous Diagnostics and Mitigation (CDM) program is a dynamic approach to fortifying the cybersecurity of computer networks and systems. The program enables Federal Government agencies to manage security by comparing what their network looks like (actual state), to what it should look like (desired state), and presents the differences in a way that prioritizes the worst issues first.
First, agency-installed sensors perform an automated search for known cyber flaws.
Results feed into a local dashboard that produces customized reports, alerting network managers to their worst and most critical cyber risks, based on standardized and weighted risk scores.
- Prioritized alerts enable agencies to efficiently allocate resources based on the severity of the risk.
Progress reports track results and
Summary information will feed into a centralized dashboard administered by DHS, which will allow comparative assessments of agency risk postures.
The benefits of CDM include:
- Speed: Automatically identifies vulnerabilities and rapidly provides a common operational picture of network health and integrity
- Priority Resolution: Enables leadership allocate resources to resolve the most significant risks first
- Unity of Effort: Focuses personnel across federal governments on positive security outcomes based upon a common lexicon
- Valued Metrics: Allows comparison of cross-agency performance using common objective data
- Strategic Sourcing: Pools buying power to reduce total costs for purchasing cybersecurity tools and services
GovTransformer: What’s the role of DHS’s Federal Network Resilience (FNR) Division in promoting CDM?
DHS: The CDM Program Management Office resides in FNR division. FNR executes the CDM program procurement in partnership with the General Services Administration (GSA), serves as the primary liaison for CDM-implementing departments and agencies, develops foundational program architectures and procedures, and will manage the federal CDM dashboard.
GovTransformer: Are task orders proceeding as you’d like under the GSA BPA?
DHS: The first award under the CMaaS BPAs, in January 2014, marked another milestone for the CDM program. We are committed to deploying CDM tools and services as quickly and efficiently as possible. We are particularly pleased to report that strategic sourcing resulted in an average 30 percent reduction off GSA Schedule 70 pricing for the commodities purchased for a budget avoidance of up to $18 million.
The tools delivered under these awards are already being installed in the 21 participating Departments and Agencies, further strengthening their network security. We are actively planning the next set of awards, this time to provide both tools and integration services. Additionally, the BPA is available to state, local, tribal and territorial government entities and we have had engagement with, and inquiry from 36 states through various associations.
GovTransformer: What’s the connection between CDM and FISMA?
DHS: Congress funded the CDM Program in part to support Federal Information System Management Act (FISMA) reporting, and to improve the ability of the Federal Government agencies to address potential gaps in their cybersecurity environments.
Under the current FISMA approach thousands of assessments and other reports are written and issued. This information is out of date the moment it is printed, providing only a snapshot in time versus real-time identification of problems. This approach is unresponsive, uneconomical, and unsustainable.
CDM redirects resources, time, and expertise away from manual reports. With automated control testing and ongoing validation cycles, government entities are able to know the state of their respective networks at any given time and act on the relative risks of vulnerabilities and flaws, and as a result, CDM will defend against the prevalence of compromises affecting government IT networks.
Under CDM, automated near-real-time network scanning accomplishes many of the requirements of the annual or triennial manual reviews required by FISMA by automating the reporting process. Agency-level CDM dashboards will automatically gather and report a significant portion of information required under FISMA metrics to the federal dashboard.
NIST and DHS are working on and will publish a NIST Interagency Report addressing specifics on using CDM to automate Ongoing Assessments, thereby fulfilling a key FISMA requirement to periodically test security controls.
GovTransformer: How long do you think it will be before civilian agencies have CDM systems in place?
DHS: FNR is committed to deploying CDM tools and services as quickly and efficiently as possible, following both the DHS Acquisitions process and best practices and processes from our GSA partners. Twenty-one departments and agencies have already received tools from the first award and are actively implementing them now.
Consistent with the Information Security Continuous Monitoring (ISCM) Concept of Operations (CONOPS), the CDM Program covers 15 continuous diagnostic capabilities. Capabilities are established at every level of the network, not just the periphery, which gives agencies the ability to see how effective their systems are.
The first phase of CDM focuses on four functional capabilities: management of hardware and software assets, configuration management, and vulnerability management, which are foundational capabilities to protect systems and data.
Roll-out of CDM capabilities is a three-phase process:
1. Phase 1 – Protect end-point devices: Scan and ensure devices are identified and properly configured (Current Phase). Includes:
- HWAM – Hardware Asset Management
- SWAM – Software Asset Management
- CSM – Configuration Settings Management
- VUL – Vulnerability Management
2. Phase 2 – Manage users and their permissions: Make sure that users only have access to the information they are authorized by their roles (beginning in FY15). We are analyzing the responses that we received in response to a Request for Information (RFI) that GSA released to the BPA holders soliciting their input on existing industry capabilities in this area. Includes:
- TRUST –Access Control Management (Trust in people granted access)
- BEHV – Security-Related Behavior Management
- CRED – Credentials and Authentication Management
- PRIV – Privileges
- Boundary Protection (Network, Physical, Virtual)
3. Phase 3 – Manage events: Rapidly identify, respond to, and resolve/mitigate cybersecurity issues and threats (planned to begin in FY16). Includes:
- Plan for Events
- Respond to Events
- Generic Audit/Monitoring
- Life Cycle Requirements, Policy, etc.
- Life Cycle Quality Management
- Life Cycle Risk Management