The uncertain marriage of CDM and FedRAMP

The federal government has gone all in on continuous diagnostics and mitigation, a wide-ranging and ambitious program to guard agency networks against cyber threats. Run by the Department of Homeland Security, the program aims to address 15 types of continuous diagnostics and pairs a dedicated acquisition vehicle with expert guidance and even DHS dollars for agencies seeking to improve their monitoring.

The first phase, which focuses on endpoint device security, has drawn widespread agency interest, and network managers who have implemented CDM have said the system of dashboards provides a revealing view of vulnerabilities -- many of which had gone unnoticed under previous monitoring regimes.

A big question looms over the future of CDM, however: Can the program accommodate agencies' increasing demand for cloud computing and the Federal Risk and Authorization Management Program (FedRAMP) that was designed to accelerate the shift to the cloud?

Why it matters

It is a truism that bears repeating: Malicious cyber threats to federal networks are a clear and present danger. In recent months, a series of cyberattacks have hit agencies ranging from the Office of Personnel Management to the State Department.

And although the structures and scopes differ greatly, CDM and FedRAMP share a broad goal: to use a standardized and repeatable security process to make damaging intrusions to federal networks significantly less likely. But absent a clear road map for coordinating the two initiatives, agencies risk adding compliance hoop-jumping and unnecessary complexity to their cloud security efforts when the goal is to streamline and focus on risk.

The fundamentals

At the core of CDM is a contract vehicle that currently involves blanket purchase agreements with 17 vendors for a wide range of equipment and consulting and other services that contribute to a holistic view of network vulnerabilities. It provides agencies with a means to not only meet the continuous monitoring mandates that are part of the Federal Information Security Management Act, but to move beyond compliance-driven monitoring to the truly dynamic and risk-based approach demanded by a November 2013 Office of Management and Budget policy memo.

FedRAMP is based in the General Services Administration and steered by GSA, DHS and the Defense Department. The program mandates agencies' adoption of common cloud security standards and seeks to streamline that process by reusing the costly assessments and authorizations of various cloud services. It, too, is mandatory for all agencies, thanks to OMB's December 2011 directive, and it has continuous monitoring provisions of its own. But integration with CDM is not explicitly part of the framework.

Key challenges

The first hurdle in the marriage between FedRAMP and CDM is a fundamental one: The latter's complex structure, which includes a phased model for agency rollouts and types of monitoring, makes wedding it to FedRAMP no easy task.

Officially, all agency cloud projects are now supposed to be FedRAMP-compliant (though there is no clear penalty for missing the June 2014 deadline). CDM is still barely into the second of its three phases. Attention shifted to key components such as access control, credentials and boundary protection -- all integral to FedRAMP's requirements -- only last summer.

FedRAMP, meanwhile, also continues to evolve. A draft baseline for cloud computing systems that require security at FISMA's high-impact level was released on Jan. 27, and better continuous monitoring is one of nine strategic goals in the two-year road map that FedRAMP Director Matthew Goodrich outlined at a Jan. 22 event sponsored by FCW.

The continuous monitoring that is currently part of FedRAMP is good, Goodrich said, adding, "I think it's solid. But it's largely compliance-based. I'd like to make it more risk-based."

GSA officials see FedRAMP and CDM as largely compatible. The two programs "already align programmatically and will continue to grow strategically in the same path to move continuous diagnostics and mitigation programs to the cloud," a GSA spokesperson told FCW via email. "Privacy concerns prevent a complete marriage between the two, but [do] not impede progress."

Just what are those privacy concerns? Goodrich said the union of FedRAMP and CDM means dealing with blurred lines between government and private-sector assets. "When you're looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets," he told FCW.

According to Nick Son, Coalfire Public Sector's managing director for technology advisory and assessment services, FedRAMP and CDM are definitely converging. "It's really about the data input," Son said. "We need to make sure that the monitoring information [FedRAMP requires] is formatted and standardized" so that it can flow into the CDM program.

There is also the small matter of scale. As Tom DeBiase, chief information security officer at DHS' Immigration and Customs Enforcement, said in October, when his agency took inventory of endpoint devices for CDM's first phase, "we had a lot more technology than we realized."