Can CDM change the game?

An effective cybersecurity strategy requires more than a periodic safety check. That's the thinking behind continuous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT security status.

The National Institute of Standards and Technology describes continuous monitoring as providing an ongoing awareness of security threats and vulnerabilities. That approach provides a sharp contrast to what has been the federal norm of annual security reviews and more thorough recertifications every three years.

The rapid proliferation of malware and other cyberattacks encourages a faster monitoring tempo. IT security vendor Kaspersky Lab said in late 2013 that it was detecting 315,000 new malicious files each day, up from 200,000 new files per day the previous year. Panda Security, a security solutions provider, reported earlier this year that 20 percent of the malware that has ever existed was created in 2013.

As the onslaught continues, the federal sector has been taking steps to improve its situational awareness. Indeed, agencies have been following continuous monitoring directives and guidelines for a few years now. The Continuous Diagnostics and Mitigation program, which the Department of Homeland Security manages with support from the General Services Administration, is the government's latest take on continuous monitoring. CDM provides a more comprehensive approach and makes funding available for agencies to adopt the security practice.

"The [CDM] program reflects the evolution of continuous diagnostic programs over the past 10 years," a DHS official said.

However, Ron Ross, a NIST fellow, acknowledged that continuous monitoring is difficult given the number of IT systems in the federal sector and agencies' diverse missions and business functions. "It is a big job to have a good continuous monitoring program so we can give senior leaders the best information that we can possibly give them," he added.

Why it matters

The Federal Information Security Management Act (FISMA) of 2002 requires agencies to review their information security programs at least annually, and Office of Management and Budget Circular A-130 calls for agencies to review their systems' security controls at least every three years.

The government's current security push, however, favors a more dynamic approach. The emphasis on continuous monitoring reflects the realization that nothing stays the same in the IT environment. The threat landscape changes with each new attack vector and malware variety, while agencies' systems and networks are subject to frequent reconfiguration.

As a result, a security regimen that keeps the IT infrastructure locked down today might not provide adequate protection tomorrow. The moment-to-moment vigilance of continuous monitoring seeks to ensure that an agency's security controls remain relevant.

Ken Ammon, chief strategy officer at Xceedium, said continuous monitoring places agency risk management on a whole new footing by addressing the question of "how do I manage risk on a real-time basis rather than on a legacy certification and accreditation basis?"

DHS has deployed Xceedium's privileged identity management solution, and other government departments, prompted by various security directives, have adopted continuous monitoring programs to mitigate risk.

The fundamentals

Continuous monitoring is a hot security topic today, but the concept dates back nearly 20 years. NIST's Special Publication 800-12 was published in 1995 as an introduction to computer security. It drew a distinction between a system audit, which it describes as a "one-time or periodic event to evaluate security," and monitoring, which it defines as an "ongoing activity."

In 2002, FISMA referred to the "monitoring, testing and evaluation of information security controls." NIST's guidelines for certifying systems under FISMA, outlined in SP 800-37, established continuous monitoring as the fourth phase of a four-step certification and accreditation process.

Technology for continuous monitoring followed. In 2008, OMB mandated the use of Security Content Automation Protocol tools for verifying that Microsoft Windows-based systems followed the security configurations established in the Federal Desktop Core Configuration.

"Agencies must also use these tools when monitoring use of these configurations as part of FISMA continuous monitoring," the OMB guidance states.

The current wave of continuous monitoring began with the publication of the Consensus Audit Guidelines (CAG) in 2009. They outline 20 cybersecurity practices and provide agencies and contractors with a short list of security controls. The goal was to focus on a few critical controls and monitor them continuously via automated tools.

Industry executives say CAG established the groundwork for CDM, now the focal point for continuous monitoring activities at civilian agencies.

"If you look at CDM, it has a heavy basis in what was originally the CAG guidelines," said Matt Brown, a vice president at Knowledge Consulting Group.

Greg Kushto, director of the security practice at Force 3, said CDM builds on CAG. "It's the same core idea," he said. "It just keeps getting fleshed out and strengthened."

CDM also draws on NIST's SP 800-137, "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations," which was published in 2011. The DHS official said CDM is a way to implement the NIST document's objective to "maintain ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions."

The official said CDM supports and builds on the approach outlined in SP 800-137 by enabling agencies to buy strategically sourced tools and services, deploy dashboards to identify vulnerabilities and defects in near-real time, and apply risk scoring to prioritize mitigation of the most significant problems and thereby reduce the likelihood of a disruptive or damaging cybersecurity event.

Ross said SP 800-137 describes a broader continuous monitoring process of which CDM is a subset. He said continuous monitoring, as defined in NIST's document, includes monitoring activities that are not necessarily subject to automation -- for example, maintaining and updating a contingency plan for dealing with the aftermath of a cyberattack.

Nevertheless, Ross called CDM a large and comprehensive program that plays a critically important role.

CDM's wide-angle focus sets it apart from previous continuous monitoring initiatives, which emphasized vulnerability scanning and point-in-time snapshots of IT assets, said Mark Orlando, director of cyber operations at Foreground Security, a security consulting, training and services company.

CDM, on the other hand, goes beyond scanning to incorporate additional elements of governance and technical assessment. "We are seeing a significant expansion of scope," Orlando said.

The initial phase of CDM implementation, for example, covers managing configuration settings and continuous monitoring's traditional focus on vulnerability management. Phase 1 also splits hardware and software asset management into separate tasks.

Rob Roy, federal chief technology officer in HP's Enterprise Security Products division, said CDM's software orientation marks a departure from previous efforts. He noted that traditional continuous monitoring never examined the government's myriad applications to find and close vulnerabilities.

"For the first time...CDM has added software vulnerabilities to the list," Roy said.

Kushto said continuous monitoring has typically focused on devices and operating systems. A scan might identify a server running Windows Server 2008 and then determine whether the BIOS was good and whether the operating system and patches were up-to-date.

CDM, however, pushes monitoring to the application layer as well. "It's not just the base layer -- it is really anything on that box," Kushto said.

Subsequent phases of CDM will further expand its scope. Phase 2 will include access control and authentication management, while Phase 3 will cover event management.

CDM also adds the use of dashboards. OMB requires agencies to submit security data gleaned from their CDM scans to a DHS-maintained dashboard, and agencies are expected to create their own dashboards to help them analyze and respond to vulnerabilities.

CDM also offers agencies blanket purchase agreements for buying continuous monitoring tools. The GSA-administered CDM Program Tools and Continuous Monitoring as a Service (CMaaS) BPAs provide access to diagnostic sensors and dashboard technology from 17 companies.

Rick Roach, a senior vice president at Digital Management Inc., said he believes CDM will boost the adoption of CMaaS. He added that the level of continuous monitoring adoption varies from agency to agency, but DHS is out in front.

"DHS is really the first dot-gov agency to lead the charge in CDM implementation, and this is laudable," Roach said. "With so many endpoints at the DHS HQ and agencies, no one else has done anything on this scale before, and I'm sure we'll all learn a lot from the DHS effort."

The hurdles

Cost has been one inhibitor to continuous monitoring. But it should help that DHS is making funds available for technology adoption as part of the CDM program.

"DHS...put money on the table on behalf of government organizations to help them deploy the necessary products and services," Ammon said, and the extra dollars will help agencies offset their investments in security technologies. He added that DHS is managing about $200 million in appropriated funds to support CDM's three-phase rollout and the dashboard project.

Kushto said DHS funds will help, but they won't cover a complete CDM deployment.

"Congress hasn't allocated enough money to do all of this for everybody," he said. "Agencies will need to supplement that [funding] with their own equipment and expertise."