Research Report

Phase 3 Requirements Finally Emerge

While the entire Continuous Diagnostics and Mitigation (CDM) program is aimed at boosting the security of government agency IT, the contract itself can be separated into two primary areas of operational significance. Phase 1 and 2 provide the tools and services agencies will need to manage their hardware and software assets. Phase 3 is where this baseline capability data will help with security improvements.

Managing network access controls will be a major part of those improvements. A first look at that came in March 2016 with the publication of detailed functional requirements for what the Department of Homeland Security (DHS) calls N-BOUND tools. These are sensors and other tools needed to monitor and manage both physical and logical access to department and agency networks and data.

The draft addresses three requirements:

  • BOUND-F: To monitor and manage network filters and boundary controls
  • BOUND-E: To monitor and manage encryption (more generally defined, according to the document, as cryptography mechanism controls)
  • BOUND-P: To monitor and manage physical access controls

These boundary protection functions all have cross capability functions both within the BOUND application and other CDM tools. For example, BOUND-F tools employ encryption using data gathered by CDM sensors to describe attributes used for BOUND-E policies. BOUND-F network filters include firewalls and gateways that sit between various regions a network, such as a trusted internal network and a less trusted external network.

The goals of these boundary devices include “limiting or denying access by unauthorized users while simultaneously allowing access by authorized users; preventing undesired software such as viruses and other malware from getting into the trusted network; preventing undesired content from getting into the trusted network; and preventing, limiting, or monitoring the exfiltration of sensitive data or applications from the trusted to the less trusted network.”

BOUND-E is aimed at providing greater visibility into the risks associated with various cryptographic devices and mechanisms used on an organization’s network. Failures at this level are behind many of the recent security breaches at government agencies. The BOUND-E function is divided into a cryptography category, which covers encryption techniques as well as monitoring and managing cryptographic keys and certificate authorities.

The draft document also briefly examines requirements for BOUND-P, basically those needed to collect and verify all authentication and access control lists used to get authorized people through doors and gateways. DHS says more details on BOUND-P will come later.

The document also mentions what it calls “special considerations” required for Internet-based connections to government-mandated security programs such as EINSTEIN. The EINSTEIN program provides integrated intrusion detection and prevention for agencies and Trusted Internet Connection (TIC), through which agencies can optimize external connection security. The latter two are important elements since the intent is for government to complement and eventually integrate CDM with these types of capabilities.

While that would also stop many of the more common types of attacks hitting agency networks, the N-BOUND tools are aimed directly at the sort of advanced persistent threat (APT) attacks recently used against the Office of Personnel Management OPM and other agencies. These are expected to pose the greatest danger.

The purpose of this section of the CMD program is to manage network access controls, the document says. The intent is to limit unauthorized access that “would allow attackers to cross internal and external network boundaries and then pivot to gain deeper network access and/or capture network resident data at rest or in transit.”