President Trump recently signed an executive order that requires that the heads of government agencies be held accountable for managing security risks across their organization. As agencies start putting together action plans to do this, they must be able to identify what those security risks actually are.
This is where the Continuous Diagnostic Mitigation (CDM) program comes in. CDM establishes a baseline approach for agencies to improve their end-to-end security posture, allowing visualization into where and when security breaches are occurring.
In order to better understand how agencies can start supporting continuous monitoring of their information systems and networks, GovLoop and Tanium, an endpoint and systems management company, brought together cybersecurity experts from across sectors during the recent online training “CDM—What Do We Do Now?”
Mark Bowman, President of On Point Strategies, LLC and a Retired LTG in the U.S. Army; Egon Rinderer, Director of Technical Account Management at Tanium; and Ralph Kahn, Vice President for Federal Sales at Tanium laid out the three phases of CDM and what agencies should focus on moving forward.
Phase one of CDM focuses on endpoint integrity, or knowing what is on the network and managing endpoint configurations and vulnerabilities. “The purpose of phase one was hardware and software asset management, configuration settings management, and vulnerability management,” Kahn explained. The speakers agreed that the best way to see success in phase one is ridding your agency of legacy infrastructure.
The second phase of CDM focuses on least privilege and infrastructure integrity. Its purpose is to know who is on a network and to manage their access privileges and activities. Knowing who is on your agencies network and managing what they are allowed to do mitigates instances where outsiders can breach security defenses.
Phase three involves boundary protection and event management, meaning that agencies are actively looking and responding to events of intrusion. “The focus of phase three is what to do when an event happens and the ability of agencies to be prepared for it by detecting and eliminating vulnerabilities and remediating them in seconds,” Kahn said.
Overall, CDM is necessary for agencies to be proactive about their cyber hygiene. However, effectively implementing CDM can be time and labor intensive, making it costly. Khan emphasized that despite the cost and agency budget restrictions, CDM can work at your agency.
“CDM doesn’t have to be expensive,” he explained. “Take a look at what your agency is doing and don’t assume the status quo by continuing to fund things in the past. Look and see if you are making wise investments and if your software is meeting industry standards.”
Once agencies find a way to work CDM into their current budgetary schemes, there are three main things they should focus on moving forward with CDM:
- Get your current capabilities squared away. Rinderer explained that the first thing Tanium does when they start working with a new agency is come in and act as a spotlight on their infrastructure and practices. “By doing this we can identify issues that folks are sometimes a little dubious about,” he said. “Our goal is to not come in and start displacing things, but we want to get everything squared away in your infrastructures and systems so they are working reliably and without vulnerabilities and you can get the most out of them.”
- Reassess your patch policy. The current patch policy in government comes out of the private sector and gives agencies 21 days to get patches installed. “However, during that 21-day period, you are yielding the advantage to the enemy 100 percent of the time because they can get into your network and cause problems,” Bowman explained. Instead, he recommends taking an accelerated approach to patch management and patching quickly and then fixing things that don’t work with the patch rather than taking a couple weeks to completely test the patch before implementing it.
- Don’t forget the leadership. In addition to the technical aspects of implementing an effective CDM policy, it is also important to get leadership by-in. “One of our best practices was leveraging leadership by-in,” Bowman said. “We need to be able to as leaders put these patches in and if we knock somethings down say ‘oops’ and get back up.” Without leadership support, agencies won’t be able to adjust their patch management practices.