CDM: The evolution of continuous monitoring

The federal government has a vested interest in persuading government agencies and contractors to adopt a continuous monitoring-based approach to cybersecurity.

That’s the premise of the Continuous Diagnostics and Mitigation (CDM) program, through which the Department of Homeland Security and the General Services Administration are working together to offer a broad array of CDM-related products to federal, state and local agencies, as well as the defense industrial base.

This cross-sector approach reflects the fact that the public sector environment is increasingly interconnected, as federal agencies often exchange information with each other and with agencies at the state and local level.

“While increased connectivity has transformed and improved access to government, it also has increased the importance and complexity of our shared risk,” according said Suzanne Spaulding, DHS Deputy Under Secretary for the National Protection and Programs Directorate, writing on the department's blog.

The joint DHS-GSA initiative is an effort to close those gaps by giving agencies and contractors access to best-in-class continuous monitoring tools at best-in-market prices through a series of blanket purchase agreements awarded and managed by GSA (see sidebar). GSA will administer the BPAs, while DHS will ensure that the implementation of CDM meets the necessary cybersecurity requirements.

Security experts leave no doubt: The discipline of continuous monitoring, if fully embraced, will improve the security of agency systems and networks. In a traditional compliance-based approach, agencies certify the security of their systems according to a preset schedule. While certification has its benefits, such an approach leaves agencies vulnerable to new and emerging threats.

Continuous monitoring, on the other hand, provides a steady flow of security data that enables agencies to identify and mitigate threats quickly and efficiently. Under the CDM program that data will be fed into an agency-level dashboard that will alert cybersecurity managers to potential risks.

The National Institute of Standards and Technology has identified continuous monitoring as a vital part of any risk management process, particularly given the speed with which new cyber threats are emerging.

“Information security is a dynamic process that must be effectively and proactively managed for an organization to identify and respond to new vulnerabilities, evolving threats and an organization’s constantly changing enterprise architecture and operational environment,” NIST officials wrote in the Special Publication 800-137, which provides agencies with guidelines for continuous monitoring.

Indeed, case studies have found that continuous monitoring can result in an 89 percent reduction in cybersecurity risks after 12 months, according to an October 2012 presentation by John Streufert, director of Federal Network Resilience within the Department of Homeland Security's National Protection and Programs Directorate.

Most agencies have begun adopting continuous monitoring to some degree, but many still have a long way to go. For example, a fiscal 2012 study by the Government Accountability Office found that 10 agencies still were not assessing their security controls on an ongoing basis. And of those agencies that were, some were not in compliance with continuous monitoring guidelines from the National Institutes of Standard and Technology and the Office of Management and Budget.

“Until agencies fully implement continuous monitoring programs, the full benefit of having ongoing insight into security control effectiveness will be difficult to achieve,” the GAO report states.

With that in mind, the Office of Management and Budget has set some fast-approaching deadlines for agencies to meet. According to a memo published in November, all agencies are required to develop a continuous monitoring strategy by February 28, 2014, and begin deploying continuous monitoring-related products by May 30.

And CDM takes continuous monitoring even further by aggregating security information from all participating agencies and feeding it to a central, federal-level dashboard, which will be managed by the National Cybersecurity Communication and Integration Center at DHS. The more data that is available, the easier it will be to spot risks as they emerge and to give agencies a jump on mitigation.

The CDM program, according to DHS’ Spaulding, “will strengthen cybersecurity across the ‘dot-gov’ domain, improve our cybersecurity posture, and enhance other critical cybersecurity capabilities to thwart advanced, persistent cyber threats in a dynamic threat environment.”

CDM at a Glance

Through the Continuous Diagnostics and Mitigation program, organizations in federal, state and local government and the defense industrial base can buy automated tools for monitoring the state of critical security controls.

The tools will be available through blanket purchasing agreements established by the General Services Administration and based on GSA Multiple Award IT Schedule 70 pricing, with tiered discounts available for large quantities.

In August 2013, GSA awarded Continuous Monitoring-as-a-Service BPAs to 17 vendors, covering four categories:

  • Hardware asset management
  • Software asset management
  • Configuration management
  • Vulnerability management

GSA also plans to award BPAs covering 11 other functions:

  • Manage network access controls
  • Manage trust in people granted access
  • Manage security-related behavior
  • Manage credentials and authentication
  • Manage account access
  • Prepare for contingencies and incidents
  • Respond to contingencies and incidents
  • Design and build in requirements policy and planning
  • Design and build in quality
  • Manage audit information
  • Manage operation security

Source: GSA