The uncertain marriage of CDM and FedRAMP

Two vast risk management programs are gradually converging. How smoothly and quickly they can do so remains an open question.

Matthew Goodrich

FedRAMP Director Matthew Goodrich said there are legal, policy and privacy implications for mixing government and private-sector data in a single dashboard.

The federal government has gone all in on continuous diagnostics and mitigation, a wide-ranging and ambitious program to guard agency networks against cyber threats. Run by the Department of Homeland Security, the program aims to address 15 types of continuous diagnostics and pairs a dedicated acquisition vehicle with expert guidance and even DHS dollars for agencies seeking to improve their monitoring.

The first phase, which focuses on endpoint device security, has drawn widespread agency interest, and network managers who have implemented CDM have said the system of dashboards provides a revealing view of vulnerabilities -- many of which had gone unnoticed under previous monitoring regimes.

A big question looms over the future of CDM, however: Can the program accommodate agencies' increasing demand for cloud computing and the Federal Risk and Authorization Management Program (FedRAMP) that was designed to accelerate the shift to the cloud?

Why it matters

It is a truism that bears repeating: Malicious cyber threats to federal networks are a clear and present danger. In recent months, a series of cyberattacks have hit agencies ranging from the Office of Personnel Management to the State Department.

And although the structures and scopes differ greatly, CDM and FedRAMP share a broad goal: to use a standardized and repeatable security process to make damaging intrusions to federal networks significantly less likely. But absent a clear road map for coordinating the two initiatives, agencies risk adding compliance hoop-jumping and unnecessary complexity to their cloud security efforts when the goal is to streamline and focus on risk.

Next steps

The extent to which the Continuous Diagnostics and Mitigation program can benefit from industry-provided cloud services depends on clearing up some ambiguities, vendors say.

Ken Durbin, manager of Symantec's Continuous Monitoring and Cybersecurity Practice, said it might take time for industry and government to get on the same page when it comes to CDM and the cloud.

"I have a concern that [the Department of Homeland Security and General Services Administration] may be assuming that vendors have products teed up, ready to go, to be delivered as a service," he said in an interview. "They may or may not, depending on how 'as a service' is defined."

If DHS were to publish its vision of "as a service" for industry feedback, the two sides could come closer together, he added.

When it began, "the CDM program didn't really come out with [the cloud] as part of its thought process," said Ken Ammon, chief strategy officer at Xceedium. "They started that process before cloud and FedRAMP really had moved forward."

Ammon said that if a product is already deployed through the CDM contract vehicle, there is no way to price additional cloud-computing capacity into the contract. As a result, vendors have so far not "been able to bring their cloud security components to the [CDM] vehicle."

"The biggest challenge that I've seen -- considering that both [programs] are supposed to be advancing security -- is that the buyers of FedRAMP-approved services still, I think, have a huge gap in their understanding of what their responsibilities are and will continue to be when implementing and utilizing those cloud services," he added.

One of the next signals from government to industry on CDM and the cloud might come from the National Institute of Standards and Technology. It is developing a Cloud Risk Management Framework that will offer detailed guidance on the security risks posed by cloud computing.

Although the guidance might not specifically mention CDM, its language covering the broader topic of "continuous monitoring" would apply to CDM, said Kelley Dempsey, a senior information security specialist at NIST.

The agency generally likes to keep its guidance broad rather than issuing technology-specific documents, but the multitude of applications for cloud computing prompted NIST to develop cloud-specific guidance, which will probably be released by the end of the summer, she said.

-- Sean Lyngaas

The fundamentals

At the core of CDM is a contract vehicle that currently involves blanket purchase agreements with 17 vendors for a wide range of equipment and consulting and other services that contribute to a holistic view of network vulnerabilities. It provides agencies with a means to not only meet the continuous monitoring mandates that are part of the Federal Information Security Management Act, but to move beyond compliance-driven monitoring to the truly dynamic and risk-based approach demanded by a November 2013 Office of Management and Budget policy memo.

FedRAMP is based in the General Services Administration and steered by GSA, DHS and the Defense Department. The program mandates agencies' adoption of common cloud security standards and seeks to streamline that process by reusing the costly assessments and authorizations of various cloud services. It, too, is mandatory for all agencies, thanks to OMB's December 2011 directive, and it has continuous monitoring provisions of its own. But integration with CDM is not explicitly part of the framework.

Key challenges

The first hurdle in the marriage between FedRAMP and CDM is a fundamental one: The latter's complex structure, which includes a phased model for agency rollouts and types of monitoring, makes wedding it to FedRAMP no easy task.

Officially, all agency cloud projects are now supposed to be FedRAMP-compliant (though there is no clear penalty for missing the June 2014 deadline). CDM is still barely into the second of its three phases. Attention shifted to key components such as access control, credentials and boundary protection -- all integral to FedRAMP's requirements -- only last summer.

FedRAMP, meanwhile, also continues to evolve. A draft baseline for cloud computing systems that require security at FISMA's high-impact level was released on Jan. 27, and better continuous monitoring is one of nine strategic goals in the two-year road map that FedRAMP Director Matthew Goodrich outlined at a Jan. 22 event sponsored by FCW.

The continuous monitoring that is currently part of FedRAMP is good, Goodrich said, adding, "I think it's solid. But it's largely compliance-based. I'd like to make it more risk-based."

GSA officials see FedRAMP and CDM as largely compatible. The two programs "already align programmatically and will continue to grow strategically in the same path to move continuous diagnostics and mitigation programs to the cloud," a GSA spokesperson told FCW via email. "Privacy concerns prevent a complete marriage between the two, but [do] not impede progress."

Just what are those privacy concerns? Goodrich said the union of FedRAMP and CDM means dealing with blurred lines between government and private-sector assets. "When you're looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets," he told FCW.

According to Nick Son, Coalfire Public Sector's managing director for technology advisory and assessment services, FedRAMP and CDM are definitely converging. "It's really about the data input," Son said. "We need to make sure that the monitoring information [FedRAMP requires] is formatted and standardized" so that it can flow into the CDM program.

There is also the small matter of scale. As Tom DeBiase, chief information security officer at DHS' Immigration and Customs Enforcement, said in October, when his agency took inventory of endpoint devices for CDM's first phase, "we had a lot more technology than we realized."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.