Will CDM finally be ‘the realization of IT security’?
Connecting state and local government leaders
Tools and services are being chosen for Phase 2 of the Continuous Diagnostics and Mitigation program, which security watchers say could be a revolutionary step in how the government protects its information.
For more than a decade, the federal government has been moving from a periodic, compliance-based approach to IT security to real-time awareness based on the continuous monitoring of IT systems and networks.
While progress has been spotty so far, some security watchers say Phase 2 of the Homeland Security Department’s Continuous Diagnostics and Mitigation program, expected to be implemented in 2015, could be a major step forward.
Jeff Wagner, director of security operations for the Office of Personnel Management, said Phase 2 could be “the realization of IT security.”
“I’m happy with the CDM program, Wagner said. “It’s moving us away from the old generation of defense in depth to a new generation of seeing attacks as they occur.”
The next phase of CDM, called Least Privilege and Infrastructure Integrity, focuses on managing identity and access to resources and puts a premium on being able to see and control what is going on in a system. This can enable effective real-time response.
“This phase could be transformative, rather than evolutionary,” said Ken Ammon, chief strategy officer of Xceedium, which provides access control technology.
Phase 1 of the CDM program, which focused on endpoint security, went into effect in 2013. The next phase reflects the new reality of IT security in which perimeter defenses have been recognized as inadequate and breaches as inevitable. This puts a premium on monitoring and controlling behavior inside systems and networks.
Phase 2 of CDM will not require forklift upgrades of systems, and the tools and services needed will available under a blanket purchase agreement with steep volume discounts for agencies. But it will require a standardized approach that will enable automated functions and improve communication among siloed systems.
The CDM program is a part of the implementation of the Federal Information Security Management Act, which has for years been mired in regulatory compliance.
CDM is enabling the government’s orderly but critical move to continuous monitoring and better real-time visibility. It provides off-the-shelf technology to agencies in the .gov domain to conduct risk-based cybersecurity based on ongoing assessments of conditions and activity.
The program specifies 15 monitoring capabilities, which can be performed by agency sensors or provided as a service. Sensors will feed data into local agency dashboards, allowing managers to prioritize risks based on standardized and weighted scores and to document and track actions. Summary information is fed into enterprise-level dashboards and eventually to a DHS dashboard.
A blanket purchase agreement was awarded in August 2013 to 17 companies, each with multiple partners, to cover endpoint management in the first phase of CDM. Capabilities available in Phase 1 are hardware and software asset management, configuration management and vulnerability management.
The capabilities for Phase 2 are:
- Access control management
- Security-related behavior management
- Credentials and authentication management
- Privileges
- Boundary protection, including network, physical and virtual components.
A request for information was sent in April to CDM suppliers to identify products for Phase 2, and products now are being evaluated for inclusion in the BPA, which is expected to be updated in 2015 to make approved products and services available.
Because products in the CDM program are off-the-shelf, Phase 2 will not involve any radical new capabilities. It is intended to deliver a standard set of tools and services to provide better understanding and control of who is accessing resources and what they are doing. Systems and administrators will learn what normal behavior entails on their networks, and this will in turn allow them to identify and respond to abnormal and malicious activity.
Although perimeter defenses are not being abandoned, years of successful breaches have made it clear that they are not adequate defenses. The new reality in IT security is that breaches are inevitable, and the ability to monitor and control behavior through improved identity management and access control will allow intrusions to be more quickly identified and more effectively addressed.
OPM’s Wagner calls CDM Phase 2 “a sign that the federal government finally is taking FISMA seriously.”
Attaining better security is not about developing new technology, he said. “The PIV card is a perfect example.” It has been around for 10 years to provide interoperable, strong multi-factor authentication, but is not being widely used. Requiring the use of a suite of proven, off-the-shelf tools available at affordable prices will ensure that the technology is put to use, not on a shelf.