In 2003, Xceedium’s CSO Ken Ammon testified to Congress on the core issues of cybersecurity. Over a decade ago, he described the connected world in which we live, where a singular event can affect the rest of a system. Ken asked the House Reform Committee to consider two recommendations: spending needs that were more pragmatic regarding risk management and security needs that were better integrated into the IT infrastructure integrity.
Today, we are even more interconnected than ever before, and the concept of inside vs. outside systems has been completely eradicated. We are pleased to address the fact that government has stepped up as a leader in identifying policies and best practices for cybersecurity through the federal Continuous Diagnostics and Mitigation (CDM) program, which hits on the points Ken brought to light over a decade ago.
As our web of connectivity becomes more and more intricate, so too have the policies set forth by government agencies. It’s important to understand how CDM, now embarking on Phase II, maps into the current field of security policies and law, including ICAM, HSPD-12, FISMA, and FedRAMP.
After September 11, 2001, our world was challenged to better understand questions about the people we have inside our buildings and systems, and what we really know about them. As a result, the Identity, Credentials and Access Management (ICAM) program was born to integrate the management of identity information, credentials and security access to buildings, networks and information technology systems.
Hackers have recognized for quite some time that the core weakness in our infrastructure is the ability to gain access to and leverage the credentials of existing users – the same weakness exploited by Snowden. To combat this, IT security needs to focus on better managing the credential check process before a person even walks into a facility and moves into our logical infrastructure world. This is where ICAM and CDM Phase II intersect.
By combining ICAM and CDM and adopting the mindset of identity as the new perimeter, we can greatly reduce exposure to insider and outsider threats. By following ICAM’s Maturity Model Approach, any organization can show the extent of its CDM progress, regardless of its starting point. This is critical, since not all agencies share the same baseline of security. Organizational security can be assessed and broken down to one of the levels of maturity, applied selectively so organizations can implement CDM capabilities over time, and measured to determine how much progress has been made. CDM overlays with ICAM.
Costly and ineffective manual processes are also out the door. Gone are the days when we would call Jane on the fourth floor to ask for access into a certain network. More often than not, such manual processes would take weeks before an employee received the right credentials and also potentially open the door to new vulnerabilities. Using an automated access lifecycle management (ALM) process allows us to better manage the data needed for successful implementation of ICAM and CDM.
CDM provides a level of consistent auditing and reporting not previously seen – which is essential, because if you don’t know what you’ve got, you don’t know what you’re protecting. The capabilities outlined in CDM Phase II take ICAM to the next level, with a goal of educating agencies across the board on how to implement the best defensible position.In fact, these two puzzle pieces work effortlessly together to allow identity to serve broader priorities.
Celebrating its 10th anniversary this year, the Homeland Security Presidential Directive 12 (HSPD-12) works side-by-side with ICAM to assist government in moving toward stronger authentication methods. As a result of HSPD-12, PIV/CAC became a mandate for federal employees and contractors to gain logical access federal infrastructures and physical access to government facilities and is still being implemented today. CDM Phase II bolsters HSPD-12 by addressing both physical and logical access, when they are otherwise not tied together. With the pending implementation of CDM Phase II, interoperability will be encoded into a suite of solutions to enable applications in the virtual space.
How does this look? The core of a sound security model is trusted identity and multi-factor authentication. Identity verification and background investigation are required prior to activating an individual’s PIV/CAC, and then the system needs to understand how those credentials translate into access of sensitive information. Network defenders need to make a clear distinction between authentication and authorization. To enforce least privilege and ensure infrastructure integrity we must go beyond authentication. Now, we must identify, verify, and only then grant the specific level of access necessary at any given time.
Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA)requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. CDM’s benefits are steeped in measures and metrics and include certification and continuous. CDM is often categorized as the “serious approach” to security, one that goes a step further than the typical paperwork baseline methods established long ago. CDM helps support the FISMA reporting process as it automatically gathers and reports required information for agencies to digest in 72-hour cycles.
The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And what about security? The Federal Risk, Authorization, and Management Program (FedRAMP) entered the security arena in 2012 to ease adoption concerns. FedRAMP is the do-once, use-many-times security model that ensures cloud service providers (CSPs) maintain a proper security posture.
Although FedRAMP differs from CDM, it still encompasses similar ideals based on guidance for implementing an information security continuous monitoring program – brought forth by NIST sp 800-137. The difference is the end-user of each program. FedRAMP looks at the external provider, in this case the CSPs, whereas CDM addresses government assets. FedRAMP doesn’t build out solutions from an identity management aspect, but rather looks at how CSPs’ systems compare to set requirements. FedRAMP lets CSPs demonstrate they are implementing multi-factor authentication, account management and auditing policies. No plans have been announced to integrate a more unified risk-based approach between each program, but we are likely to see it in the future.
Understanding how CDM fits in with ICAM, FISMA, HSPD-12, and FedRAMP is an important step to meaningful implementation that goes beyond checking off the required boxes. CDM’s goal isn’t to add more requirements – it’s to put the final pieces in place to standardize security monitoring across government.
Click here to explore how ICAM, HSPD-12, FISMA, FedRAMP, and CDM Phase II are all interconnected.
We’re learning more and more about CDM and so I appreciate your perspective on it. Thanks, Dale!