Exec Tech

The uncertain marriage of CDM and FedRAMP

Matthew Goodrich

FedRAMP Director Matthew Goodrich said there are legal, policy and privacy implications for mixing government and private-sector data in a single dashboard.

The federal government has gone all in on continuous diagnostics and mitigation, a wide-ranging and ambitious program to guard agency networks against cyber threats. Run by the Department of Homeland Security, the program aims to address 15 types of continuous diagnostics and pairs a dedicated acquisition vehicle with expert guidance and even DHS dollars for agencies seeking to improve their monitoring.

The first phase, which focuses on endpoint device security, has drawn widespread agency interest, and network managers who have implemented CDM have said the system of dashboards provides a revealing view of vulnerabilities -- many of which had gone unnoticed under previous monitoring regimes.

A big question looms over the future of CDM, however: Can the program accommodate agencies' increasing demand for cloud computing and the Federal Risk and Authorization Management Program (FedRAMP) that was designed to accelerate the shift to the cloud?

Why it matters

It is a truism that bears repeating: Malicious cyber threats to federal networks are a clear and present danger. In recent months, a series of cyberattacks have hit agencies ranging from the Office of Personnel Management to the State Department.

And although the structures and scopes differ greatly, CDM and FedRAMP share a broad goal: to use a standardized and repeatable security process to make damaging intrusions to federal networks significantly less likely. But absent a clear road map for coordinating the two initiatives, agencies risk adding compliance hoop-jumping and unnecessary complexity to their cloud security efforts when the goal is to streamline and focus on risk.

Next steps

The extent to which the Continuous Diagnostics and Mitigation program can benefit from industry-provided cloud services depends on clearing up some ambiguities, vendors say.

Ken Durbin, manager of Symantec's Continuous Monitoring and Cybersecurity Practice, said it might take time for industry and government to get on the same page when it comes to CDM and the cloud.

"I have a concern that [the Department of Homeland Security and General Services Administration] may be assuming that vendors have products teed up, ready to go, to be delivered as a service," he said in an interview. "They may or may not, depending on how 'as a service' is defined."

If DHS were to publish its vision of "as a service" for industry feedback, the two sides could come closer together, he added.

When it began, "the CDM program didn't really come out with [the cloud] as part of its thought process," said Ken Ammon, chief strategy officer at Xceedium. "They started that process before cloud and FedRAMP really had moved forward."

Ammon said that if a product is already deployed through the CDM contract vehicle, there is no way to price additional cloud-computing capacity into the contract. As a result, vendors have so far not "been able to bring their cloud security components to the [CDM] vehicle."

"The biggest challenge that I've seen -- considering that both [programs] are supposed to be advancing security -- is that the buyers of FedRAMP-approved services still, I think, have a huge gap in their understanding of what their responsibilities are and will continue to be when implementing and utilizing those cloud services," he added.

One of the next signals from government to industry on CDM and the cloud might come from the National Institute of Standards and Technology. It is developing a Cloud Risk Management Framework that will offer detailed guidance on the security risks posed by cloud computing.

Although the guidance might not specifically mention CDM, its language covering the broader topic of "continuous monitoring" would apply to CDM, said Kelley Dempsey, a senior information security specialist at NIST.

The agency generally likes to keep its guidance broad rather than issuing technology-specific documents, but the multitude of applications for cloud computing prompted NIST to develop cloud-specific guidance, which will probably be released by the end of the summer, she said.

-- Sean Lyngaas

The fundamentals

At the core of CDM is a contract vehicle that currently involves blanket purchase agreements with 17 vendors for a wide range of equipment and consulting and other services that contribute to a holistic view of network vulnerabilities. It provides agencies with a means to not only meet the continuous monitoring mandates that are part of the Federal Information Security Management Act, but to move beyond compliance-driven monitoring to the truly dynamic and risk-based approach demanded by a November 2013 Office of Management and Budget policy memo.

FedRAMP is based in the General Services Administration and steered by GSA, DHS and the Defense Department. The program mandates agencies' adoption of common cloud security standards and seeks to streamline that process by reusing the costly assessments and authorizations of various cloud services. It, too, is mandatory for all agencies, thanks to OMB's December 2011 directive, and it has continuous monitoring provisions of its own. But integration with CDM is not explicitly part of the framework.

Key challenges

The first hurdle in the marriage between FedRAMP and CDM is a fundamental one: The latter's complex structure, which includes a phased model for agency rollouts and types of monitoring, makes wedding it to FedRAMP no easy task.

Officially, all agency cloud projects are now supposed to be FedRAMP-compliant (though there is no clear penalty for missing the June 2014 deadline). CDM is still barely into the second of its three phases. Attention shifted to key components such as access control, credentials and boundary protection -- all integral to FedRAMP's requirements -- only last summer.

FedRAMP, meanwhile, also continues to evolve. A draft baseline for cloud computing systems that require security at FISMA's high-impact level was released on Jan. 27, and better continuous monitoring is one of nine strategic goals in the two-year road map that FedRAMP Director Matthew Goodrich outlined at a Jan. 22 event sponsored by FCW.

The continuous monitoring that is currently part of FedRAMP is good, Goodrich said, adding, "I think it's solid. But it's largely compliance-based. I'd like to make it more risk-based."

GSA officials see FedRAMP and CDM as largely compatible. The two programs "already align programmatically and will continue to grow strategically in the same path to move continuous diagnostics and mitigation programs to the cloud," a GSA spokesperson told FCW via email. "Privacy concerns prevent a complete marriage between the two, but [do] not impede progress."

Just what are those privacy concerns? Goodrich said the union of FedRAMP and CDM means dealing with blurred lines between government and private-sector assets. "When you're looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets," he told FCW.

According to Nick Son, Coalfire Public Sector's managing director for technology advisory and assessment services, FedRAMP and CDM are definitely converging. "It's really about the data input," Son said. "We need to make sure that the monitoring information [FedRAMP requires] is formatted and standardized" so that it can flow into the CDM program.

There is also the small matter of scale. As Tom DeBiase, chief information security officer at DHS' Immigration and Customs Enforcement, said in October, when his agency took inventory of endpoint devices for CDM's first phase, "we had a lot more technology than we realized."

About the Author

Sean Lyngaas is a former FCW staff writer.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected