What is CDM and Why do you Need it?

Continuous monitoring has been a long-time staple for organizations looking for ways to more closely track such things as financial and compliance risks. As sophistication of cyberthreats and the risk of damaging breaches increased, so did the relevance for the technique in IT security.

In this sense, continuous monitoring builds on the inherent capability of IT systems to monitor and log network performance. Administrators have used that over the years to periodically check on the health of their systems and networks, and to pick up anomalies that point to a potential security threat, or that a cyberattack might be occurring.

Continuous Diagnostics and Mitigation (CDM) takes that several steps further by combining, in an automated way, the ability to dynamically monitor networks and systems and assess security risks, and then quickly come up with ways to fix holes and vulnerabilities in cyber defenses.

The Office of Management and Budget (OMB) in 2012 made continuous monitoring of federal IT networks one of the now 15 Cross-Agency Priority goals it established to comply with the 2010 Government Performance and Results Modernization Act. Under that, Information Security Continuous Monitoring Mitigation (ISCM) is intended to “provide ongoing observation, assessment, analysis and diagnosis of an organization’s cybersecurity: posture, hygiene, and operational readiness.”

The Department of Homeland Security, in partnership with the General Services Administration, established a formal CDM program as a way to provide agencies with the tools and expertise they would need to implement ISCM. In 2013, 17 companies received awards under a $6 billion, five-year companion continuous-monitoring-as-a-service (CMaaS) BPA to deliver diagnostic sensors, tools and dashboards to agencies.

Andy Ozment, assistant secretary of the Office of CyberSecurity and Communications (CS&C) in the DHS’ National Protections and Programs Directorate, told Congress in early 2015 that memoranda of agreement with the CDM program encompass over 97 percent of all federal civilian personnel.

The Defense Department is following its own CDM program.

“By the first quarter of FY 2016, 25 agencies and over 95 percent of all federal civilian personnel will have started deploying CDM tools provided by DHS,” Ozment said, “(and) the agency-level dashboards will begin deployment in FY 2015.”

These agency-level dashboards will also feed information to a federal dashboard that the DHS will use to gauge government-wide cyber risks, as well as the progress agencies are making in tackling and reducing risks. It’s expected to be fully operational in FY 2017, Ozment said.

Though a measure of continuous monitoring has been used by government organizations for some time, CDM looks to take that much further with its automated risk and technical assessments. It will also look beyond just device and operating systems to include monitoring of application layer vulnerabilities, an essential these days as some of the more damaging cyberthreats involve errors in software.

As well as the improvements the CDM program itself is expected to bring, the DHS is also touting its ability to complement other major security programs such as the National Cybersecurity Protection Systems, otherwise known as EINSTEIN. That is an integrated intrusion detection, analysis, information sharing, and intrusion prevention system used to provide perimeter defense for government networks.

The DHS also believes the program will make it easier for agency systems administrators to fulfill security requirements set out in OMB’s A-130 circular, and to implement NIST guidelines on continuous monitoring.