CDM Could be a Game-changer

It’s not as if most government agencies don’t already have at least some IT security in place. However, depending on the time and resources each can devote, security can sometimes be more of a patchwork affair that provides uncertain protection. Will CDM change that?

DHS set the CDM program up to be implemented in three distinct phases, each stepping up the extent of the goals that should be met with each:

  1. Endpoint integrity: The scope of this is the local computing environment, and focuses on the identification and management of agency hardware and software assets, listing known vulnerabilities and malware, and device configuration management.
  2. Least privilege and infrastructure integrity: This is focused more on the people in the environment, and being able to manage their account and network privileges, and on managing the configuration of network infrastructure devices and services.
  3. Boundary protection and event management: This encompasses such things as event detection and response, encryption, remote access management and access control, and is aimed at ensuring security is built into networks rather than added on later as an after-thought.

The first phase, which is basically about vulnerability scanning and knowing what’s on the network, should be a no-brainer for most agencies since that’s the fundamental baseline for any security plan. However, in a survey it conducted in 2014, the SANS Institute found that less than 21 percent of federal government respondents said they had completed a formal gap assessment prior to starting the program.

When SANS asked people to rate the difficulty they faced in classifying assets as a part of their assessments, the most concern was for differentiating between unmanaged and managed, and authorized and unauthorized, devices connecting to the network. Several products offered under the CDM program can play a key role in addressing this area, SANS said.

The second phase, however, may be of the most immediate interest to agencies since it focuses on managing privileged access to networks and data, which speaks to the insider threats involved with such incidents as the Snowden and WikiLeaks breaches, as well as more mundane issues of data leakage over insecure network links.

It should also help with one of the biggest current threats, the theft of network credentials from agency users or, increasingly, from outside business partners such as government integrators who are given access to agency networks.

Agency-level dashboards could also be transformative for security, but that will depend on how well they are implemented. Most agencies are already familiar with dashboards for other uses, but those used for CDM will have to carry more specific information. It won’t be enough to simply give the number of vulnerabilities found and that haven’t been patched; agencies will have to know the risk of each so they can prioritize which systems are fixed first.

That will depend on how good the CDM program contractors are since they will be tasked with providing all of the technical services necessary to install, configure and maintain the dashboards, along with the positioning of the sensors that feed data to the dashboards.

It all comes down to the mitigation part of the CDM description, according to John Pescatore, director of emerging security trends at SANS. That’s key, he said, since finding vulnerabilities doesn’t do any good unless you are also fixing them. Proof of effectiveness will be lacking until the CDM program actually gets to that point.

“Continuous monitoring is just voyeurism unless you are actually changing something,” he said.