Government information networks have become more interconnected and diverse than ever before. As such, risks for cyberattacks have increased. To help civilian agencies detect, mitigate and mediate attacks, DHS has established the Continuous Diagnostic and Mitigation (CDM) program, which will enable government officials to gain increased visibility of their networks, and improve their cybersecurity posture by expanding their continuous diagnostic capabilities.
“The overarching goal of CDM is to move the federal government from a check-the-box mentality around cybersecurity to deploying tools to satisfy FISMA Controls, but continuously monitor those tools to make sure they are; in place, working, and still relevant.,” said Ken Durbin, Continuous Monitoring and Cyber Security Practice Manager, Symantec. “They want to go from a manual three year process to an automated 72 hour process, cutting down on the time it takes to discover events and remediate them.”
CDM defines 15 Functional Ares, which will be rolled out in three phases. Currently, Phase 1, which focused on foundational security, like protecting hardware and software, is already underway. Agencies are now waiting for the Phase 2 RFP. Phase 2 is focused on least privilege and infrastructure integrity. DHS has defined the following Functional Areas for Phase 2:
- FA-5 Manage Network Access Controls: provides an agency the ability to remove and limit unauthorized network access, which will prevent hackers from gaining access to data at rest or in motion.
- FA-6 Manage Trust in People Granted Access: prevents insider attacks by screening new and existing individuals who have access to the network.
- FA-7 Manage Security-related Behavior: prevents general users from taking unnecessary risks and allowing hackers to successfully deploy social engineering attacks.
- FA-8 Manage Credentials and Authentication: manages the credentials used to access networks, and proper management leads to reduced hijacking and unauthorized use of logins and passwords.
- FA-9 Manage Account Access/Manage Privileges: limits unneeded accounts to reduce risk of access to unauthorized data.
Phase 3 will help agencies deploy boundary protection and event management tools. “Phase three is where it all comes together. You have sensors that are deployed to cover physical assets, human assets and data assets. Those sensors are going to generate mountains of data, which need to be aggregated so you can analyze it and do true Risk Management. Find events and remediate those events based on the Risk to the IT System. That’s the desired end state of CDM,” said Durbin.
“Then there’s the whole concept of the CDM dashboard. Sensor data will be used at the department/agency level for their own dashboards, but ultimately that data will be funneled up to a master DHS dashboard. It will be interesting to see how effective it’s going to be and if it will be timely enough to do the trend/risk analysis they are anticipating they will be able to do. DHS wants the ability to detect a threat in one part of the .Gov network so they can alert the rest of the .gov domain to inform them of the threat so they can protect against it,” said Durbin.
To meet these controls, agencies will have to deploy new IT solutions. Recognizing that many agencies’ budgets are already spread thin, the General Services Administration (GSA) and DHS have created a blanket purchase agreement (BPA) to help agencies adopt continuous diagnostic’s & mitigation solutions. The BPA has a $6 billion ceiling over five years to support the CDM program.
Agencies can leverage the BPA and DHS funding to adopt Phase 2, and Durbin shared some further insights on how organizations can prepare. “I was on a panel a couple weeks ago with several Federal C-Level executives, and they brought up a good point,” he said. “If you have an urgent requirement that Phase 2 is going to satisfy, don’t wait for DHS. Find the budget to fund it and do it now. I thought that was a really good point. It’s understandable why an Agency would want to wait for CDM Phase 2 and DHS’s money, but it’s irresponsible if you have an immediate requirement and you need to address it.”
Although DHS has not yet released the final requirements for CDM Phase 2, Durbin believes that Data Loss Prevention (DLP) solutions will be an important part of CDM Phase 2. DLP helps organizations discover, monitor, protect and manage information or confidential data wherever information is stored. This can be done across all endpoints, devices, networks and storage systems.
“You can’t protect the Confidentiality, Availability & Integrity (CIA) of an IT System if you can’t protect the data itself. Symantec has several industry leading tools that are going to come into play for Phase 2.Those tools will help protect the CIA of our customer’s IT Systems and will ultimately help the civilian market satisfy the requirements of Phase 2,” said Durbin.
CDM comes at an important time for civilian agencies. As attacks have diversified and become more complex, government no longer can wait weeks or months to react to incidents; they must act within minutes to combat attacks.