Ready to move continuous monitoring to the cloud?

 

Connecting state and local government leaders

Agencies can ease the transition to cloud-based CDM by ensuring they have the appropriate FIPS 199 alignment, legal requirements, contract considerations, technical compatibilities and experience.

Agencies are headed to the cloud, but security and ensuring that the requirements of Continuous Diagnostics and Mitigation (CDM) program can be met are challenging areas that can slow down cloud adoption.

Since agencies are required to look to the cloud first for services, why not seek out cloud CDM providers?

 In fact, agencies are considering the use of cloud CDM providers, but they must first determine the types of assurances they  need to guarantee that the CDM provider does not breach vulnerability information. So, what are the options, and do CDM services exist that are available for agencies to try at little or no cost?

Cloud providers in general are required to provide evidence of their compliance with the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology regs, as well as the supplementary security and privacy controls through the Federal Risk and Authorization Management Program (FedRAMP). As part of this process, the cloud provider is expected to have features consistent with the continuous monitoring capabilities described in the FedRAMP controls and compatible with the purchasing agency’s CDM program.

What happens if an agency selects a CDM provider that offers services through the “cloud?”

According to FedRAMP, the service would most likely qualify as a software-as-a-service (SaaS) offering, since vulnerability scanning tools, inventory tools and configuration management tools are all software at their core.  A cloud service would simply provide the scanning and issue the results through a web browser. This means a CDM cloud provider would be expected to adhere to FedRAMP and go through the identical process as any other SaaS provider.  A Third Party Assessment Organization (3PAO) would be expected to perform a full assessment, and the cloud CDM provider would be expected to perform continuous monitoring of its own assets and report the information to the agency (in addition to the information about the agency assets being scanned).

But there is a major issue facing agencies that consider a cloud-based security services provider. FedRAMP, in its present form, is only designed for information systems at the FIPS 199 low and moderate impact ratings, or for those systems whose compromise would have only “limited” or “serious” effects. This means if an agency has FIPS 199 high impact systems (ones whose compromise would have severe or catastrophic adverse effects), the cloud-based CDM provider could not scan those systems as it is not protected sufficiently to process or store vulnerability information about high impact systems. This may pose an interesting and complicated set of choices for agencies.

Agencies may either assess and authorize the cloud provider under the traditional process, described in NIST special publication 800-37 and 800-137, or only use the cloud-based CDM provider for moderate and low impact systems. The process of authorizing high impact systems is extremely challenging for an in-house system and can become complex and arduous when using an outsourced provider. Conversely, building a separate CDM infrastructure for high impact systems while using a cloud provider for moderate and low systems doesn’t make much sense either.

Assuming the cloud-based service provider can meet the agency’s FIPS 199 levels, the next question relates to cloud-to-cloud interactions. As one cloud provider will be scanning and testing another, the agency must ensure that sufficient contract language is included for both the CDM cloud provider and the clouds being monitored by the CDM cloud.

The CDM cloud provider should be insured in the event it causes downtime to a target cloud provider. The agency must then make certain that it has sufficient requirements in its contracts to ensure that the cloud providers can accept CDM from any agency-sponsored CDM cloud provider.

Once the FedRAMP, FIPS-199 and legal considerations are met, agencies can start looking at the interoperability and reporting challenges of using a cloud-based CDM provider. Agencies report information to DHS and OMB through CyberScope and the OMB MAX portal, the majority of which is submitted in a Security Content Automation Protocol (SCAP) or Lightweight Asset Summary Results Schema (LASR) format for consistency.

The agency must ensure it has a consistent format that is mandated across its cloud providers and its cloud-based CDM providers. It must also consider how it is going to aggregate information from various sources such as the cloud-based CDM provider, agency-based tools and possibly the self-attestation reports from cloud providers. These feeds must be combined with consistent analysis for vulnerability, impact, likelihood and threats to ensure that the highest risks are treated quickly.

The Department of Homeland Security has started a “cyber hygiene” program which, in its infancy, performs vulnerability scanning of external assets based on a schedule determined by DHS and the agency. These reports are delivered via secure format to the agency for analysis and remediation. Agencies interested in using a CDM cloud service should consider starting with DHS’ cyber hygiene program to get a feel for what types of tools, technology and contractual challenges may be ahead when engaging the services of a cloud-based CDM provider. DHS needs to ensure that cloud-based CDM offerings are included in its blanket purchase agreement for CDM tools and services.

Agencies stand to gain great efficiencies and cost savings through the adoption of cloud.  CDM offered through the cloud holds great promise as well, but holds great risks if not performed correctly.  Agencies can ease the transition by ensuring they have the appropriate FIPS 199 alignment, legal requirements, contract considerations, technical compatibilities and experience prior to engaging the services of a cloud-based CDM. DHS’ cyber hygiene program provides an excellent opportunity for agencies to experiment with a cloud-like CDM provider at little to no cost. From there, agencies will be in a better position to determine what cloud-based CDM providers would look like on the CDM tools BPA, and how they can best acquire them.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.