Exec Tech

The uncertain marriage of CDM and FedRAMP

Matthew Goodrich

FedRAMP Director Matthew Goodrich said there are legal, policy and privacy implications for mixing government and private-sector data in a single dashboard.

The federal government has gone all in on continuous diagnostics and mitigation, a wide-ranging and ambitious program to guard agency networks against cyber threats. Run by the Department of Homeland Security, the program aims to address 15 types of continuous diagnostics and pairs a dedicated acquisition vehicle with expert guidance and even DHS dollars for agencies seeking to improve their monitoring.

The first phase, which focuses on endpoint device security, has drawn widespread agency interest, and network managers who have implemented CDM have said the system of dashboards provides a revealing view of vulnerabilities -- many of which had gone unnoticed under previous monitoring regimes.

A big question looms over the future of CDM, however: Can the program accommodate agencies' increasing demand for cloud computing and the Federal Risk and Authorization Management Program (FedRAMP) that was designed to accelerate the shift to the cloud?

Why it matters

It is a truism that bears repeating: Malicious cyber threats to federal networks are a clear and present danger. In recent months, a series of cyberattacks have hit agencies ranging from the Office of Personnel Management to the State Department.

And although the structures and scopes differ greatly, CDM and FedRAMP share a broad goal: to use a standardized and repeatable security process to make damaging intrusions to federal networks significantly less likely. But absent a clear road map for coordinating the two initiatives, agencies risk adding compliance hoop-jumping and unnecessary complexity to their cloud security efforts when the goal is to streamline and focus on risk.

Next steps

The extent to which the Continuous Diagnostics and Mitigation program can benefit from industry-provided cloud services depends on clearing up some ambiguities, vendors say.

Ken Durbin, manager of Symantec's Continuous Monitoring and Cybersecurity Practice, said it might take time for industry and government to get on the same page when it comes to CDM and the cloud.

"I have a concern that [the Department of Homeland Security and General Services Administration] may be assuming that vendors have products teed up, ready to go, to be delivered as a service," he said in an interview. "They may or may not, depending on how 'as a service' is defined."

If DHS were to publish its vision of "as a service" for industry feedback, the two sides could come closer together, he added.

When it began, "the CDM program didn't really come out with [the cloud] as part of its thought process," said Ken Ammon, chief strategy officer at Xceedium. "They started that process before cloud and FedRAMP really had moved forward."

Ammon said that if a product is already deployed through the CDM contract vehicle, there is no way to price additional cloud-computing capacity into the contract. As a result, vendors have so far not "been able to bring their cloud security components to the [CDM] vehicle."

"The biggest challenge that I've seen -- considering that both [programs] are supposed to be advancing security -- is that the buyers of FedRAMP-approved services still, I think, have a huge gap in their understanding of what their responsibilities are and will continue to be when implementing and utilizing those cloud services," he added.

One of the next signals from government to industry on CDM and the cloud might come from the National Institute of Standards and Technology. It is developing a Cloud Risk Management Framework that will offer detailed guidance on the security risks posed by cloud computing.

Although the guidance might not specifically mention CDM, its language covering the broader topic of "continuous monitoring" would apply to CDM, said Kelley Dempsey, a senior information security specialist at NIST.

The agency generally likes to keep its guidance broad rather than issuing technology-specific documents, but the multitude of applications for cloud computing prompted NIST to develop cloud-specific guidance, which will probably be released by the end of the summer, she said.

-- Sean Lyngaas

The fundamentals

At the core of CDM is a contract vehicle that currently involves blanket purchase agreements with 17 vendors for a wide range of equipment and consulting and other services that contribute to a holistic view of network vulnerabilities. It provides agencies with a means to not only meet the continuous monitoring mandates that are part of the Federal Information Security Management Act, but to move beyond compliance-driven monitoring to the truly dynamic and risk-based approach demanded by a November 2013 Office of Management and Budget policy memo.

FedRAMP is based in the General Services Administration and steered by GSA, DHS and the Defense Department. The program mandates agencies' adoption of common cloud security standards and seeks to streamline that process by reusing the costly assessments and authorizations of various cloud services. It, too, is mandatory for all agencies, thanks to OMB's December 2011 directive, and it has continuous monitoring provisions of its own. But integration with CDM is not explicitly part of the framework.

Key challenges

The first hurdle in the marriage between FedRAMP and CDM is a fundamental one: The latter's complex structure, which includes a phased model for agency rollouts and types of monitoring, makes wedding it to FedRAMP no easy task.

Officially, all agency cloud projects are now supposed to be FedRAMP-compliant (though there is no clear penalty for missing the June 2014 deadline). CDM is still barely into the second of its three phases. Attention shifted to key components such as access control, credentials and boundary protection -- all integral to FedRAMP's requirements -- only last summer.

FedRAMP, meanwhile, also continues to evolve. A draft baseline for cloud computing systems that require security at FISMA's high-impact level was released on Jan. 27, and better continuous monitoring is one of nine strategic goals in the two-year road map that FedRAMP Director Matthew Goodrich outlined at a Jan. 22 event sponsored by FCW.

The continuous monitoring that is currently part of FedRAMP is good, Goodrich said, adding, "I think it's solid. But it's largely compliance-based. I'd like to make it more risk-based."

GSA officials see FedRAMP and CDM as largely compatible. The two programs "already align programmatically and will continue to grow strategically in the same path to move continuous diagnostics and mitigation programs to the cloud," a GSA spokesperson told FCW via email. "Privacy concerns prevent a complete marriage between the two, but [do] not impede progress."

Just what are those privacy concerns? Goodrich said the union of FedRAMP and CDM means dealing with blurred lines between government and private-sector assets. "When you're looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets," he told FCW.

According to Nick Son, Coalfire Public Sector's managing director for technology advisory and assessment services, FedRAMP and CDM are definitely converging. "It's really about the data input," Son said. "We need to make sure that the monitoring information [FedRAMP requires] is formatted and standardized" so that it can flow into the CDM program.

There is also the small matter of scale. As Tom DeBiase, chief information security officer at DHS' Immigration and Customs Enforcement, said in October, when his agency took inventory of endpoint devices for CDM's first phase, "we had a lot more technology than we realized."

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Tue, Mar 29, 2016

That BPA was finalized before CDM's requirements. What's that tell you?

Fri, Mar 6, 2015 Michael St.Onge Virginia

This is a well-written article. Thank you!

Thu, Mar 5, 2015

FedRamp should be run out of DHS. GSA's focus and needed attention needs to be contracting and real estate.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group