CDM: Only part of the continuous monitoring picture

Without a doubt, the Continuous Diagnostics and Mitigation program has the potential to raise the cybersecurity posture across the government by giving agencies easy access to tools that support their continuous monitoring efforts.

But to realize the full potential of the program, agencies must understand what CDM can do for them — and what it can’t.

The benefits are clear. In developing CDM, the Department of Homeland Security (DHS) has identified 15 functional areas that are essential to continuous monitoring and improving cyber security. DHS worked with the General Services Administration (GSA) to offer tools to automate those functions via the Continuous Monitoring-as-a-Service (CMaaS) blanket purchase agreements.

However, agencies should not view CDM as a wholesale replacement of NIST 800-53 Rev4. CDM’s 15 functional areas are essential to continuous monitoring — indeed, they fit squarely within the Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) framework developed by DHS — but they fall short of encompassing the breadth of continuous monitoring.

Agencies need to realize that CDM is “complementary to continuous monitoring, but it is not a wholesale replacement of it,” said Ken Durbin, the continuous monitoring cybersecurity practice manager for Symantec Public Sector, one of the vendors with product available on the CMaaS BPAs.

In fact, the National Institute of Standards and Technology identifies hundreds of controls that agencies need to deploy, depending on whether the system is classified as a FISMA low, medium or high security risk under the Federal Information Security Management Act (see NIST Special Publication 800-53).

Some view 800-53’s comprehensive approach not as its greatest strength, but from an IT manager’s perspective its biggest obstacle.

“People view the process as daunting and overwhelming, and think, I can’t do that,” Durbin said. That is why some IT managers have embraced the SANS Institute’s Consensus Audit Guidelines, which identify the 20 most critical controls for cybersecurity. DHS simplified it further through CDM, focusing on 15 “functional areas.”

“CDM certainly provides a good starting point for agencies looking to embrace continuous monitoring,” Durbin said.

The first four functional areas — the focus of the initial round of contract awards — cover hardware inventory management, software inventory management, configuration management and vulnerability management.

“The first four functional areas are based on the concept that you can’t protect what you can’t see,” said Durbin.

Here is how they work:

  • Functional areas 1 and 2 discover all hardware and software assets in the network.
  • Functional area 3 scans the assets to verify they’re properly configured.
  • Functional area 4 then scans the assets to detect known vulnerabilities.
  • DHS has set a goal of running this process once every 72 hours.

    “There are studies that claim this methodology will stop 85 percent of cyber-attacks,” Durbin said. “So if you do those four, and do them very well, you can’t help but improve your cybersecurity posture.”

    But there is no escaping the fact that agencies are still required — by federal policy and because it makes sense — to comply with the broader requirements for continuous monitoring spelled out in FISMA and the NIST guidelines.

    Durbin’s advice: Embrace CDM and the budget relief it offers, but recognize you still need to satisfy FISMA requirements.

    Tool check

    Keeping that in mind, agencies would be well advised to think carefully about the tools they use for continuous monitoring.

    In theory, CDM offers a simple proposition: If agencies need tools, they can work with DHS to get them through CDM at considerable discounts off GSA Schedule pricing. And if they already have the tools they need, they can expand their licensing agreements, again at a discount.

    But Durbin recommends that IT managers take a more strategic approach. Ultimately, the short term goal is to provide tools to improve cyber security, but the long term goal is to automate FISMA requirements for continuous monitoring and on-going authorization.

    “It’s keeping CDM in mind as a part of a bigger picture,”said Durbin.

    A key concern is data aggregation. Every CDM Functional Area tool will produce data that agencies can use to monitor the security of their systems. But as part of on-going authorization under FISMA, they need to use that data to show compliance with FISMA controls.

    Additionally, as part of CDM, they will need to feed that data into dashboards, both within their own agencies and at DHS. If IT managers do not choose their tools carefully, they could end up with a treasure trove of data but with no ability to mine it.

    “Data aggregation and normalization is one of the under-talked about issues here,” Durbin said.

    As part of CMaaS, Symantec offers their Control Compliance Suite (CCS), which provides tools for the aggregation, analysis and presentation of security data from both Symantec and 3rd party tools. CCS comes with a controls library, so once the data is aggregated it can be mapped to the appropriate FISMA control to satisfy both compliance and ongoing authorization.

    Again, it is important for customers to understand CDM and its scope. It will not serve as a shortcut to a full-fledged continuous monitoring capability. What it will do, though, is provide agencies with access to state-of-the-art technology for putting their continuous monitoring programs into high gear.