DHS Readies Next Phase of Cybersecurity Conformity
The congressionally established CDM program enters a new realm as it focuses on identity management.
The U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation program is beginning a new thrust in which it addresses a growing concern of cybersecurity: identity management. The program aims to drive the overhaul of cyber risk management across federal, state, local, tribal and territorial governments and to do so cost-effectively by leveraging the technology acquisition processes—essentially buying in bulk.
The Continuous Diagnostics and Mitigation (CDM) program seeks to fortify cybersecurity of government networks and systems against the trillions of cyber events—growing more sophisticated, frequent and dynamic—that attempt to penetrate the systems weekly. The congressionally established program, a partnership led by the Department of Homeland Security (DHS) and the General Services Administration (GSA), gives participating agencies and departments access to software and programs to combat cybersecurity risks through commercial off-the-shelf tools.
“One of the main goals of CDM is like the joke: ‘I’m here from the government—I’m here to help,’” quips Ken Ammon, chief strategy officer of Xceedium Incorporated, a network security company. “But that really is their mission. My experience in working with the program office there is that they have brought in individuals who have been involved in delivering enterprise architecture and building systems so that this isn’t theoretical or a group of folks who haven’t experienced the challenge or the pain of having to try to do this job. They’re taking a very pragmatic approach.”
The effort has attracted more than 60 federal departments and agencies—a tally that represents more than 98 percent of the civilian government population, according to the DHS. Last year, the department awarded contracts to 17 prime technology and defense contractors to provide CDM tools and services for incorporation into requests for quote, or RFQ, solicitations that were released to the Continuous Monitoring as a Service (CMaaS) blanket purchase agreement (BPA) holders.
First, agencies had to get a firm hold on the inventoried assets. “In order to manage and improve anything, you have to be able to measure it,” Ammon offers. “What we found as a disturbing fact over the last 10 years is that if you were to ask most organizations ... if they had a definitive inventory of their [information technology] assets, the answer almost universally was no. We couldn’t even report what systems and IT infrastructure was in place, let alone try to measure whether it was up to a level of security.
“The thought behind CDM first off was to grab hold of this issue, this challenge of asset management, and try to put a standard in place in which everyone could at least have a degree of confidence in stating ‘here is my inventory of [information technology] assets,’” Ammon concludes.
Now officials have embarked on phase two, dedicated to assessing identity management—in other words, knowing who the users are, where they access the network and what privileges they have. “Security ... as it relates to CDM, specifically as it relates to phase two of CDM, ... is in identity and credentials management,” says Paul Christman, vice president of public sector for Dell Software. “That’s the next step … understanding who’s in your network, understanding how they prove who they are and then giving them proper access to the information. Until you get identity management down, you can’t do any other security. There’s just no way to do it because security depends on identity.”
The more privileges bestowed upon an employee, the more inspection their credential requires, Christman says. “We look at insider threat as a function of identity management. We just look at privileged users and elevated access of superusers as just a different kind of identity that needs to be managed a little more closely with a little bit more scrutiny. For the privileged user, in return for your unusual access, you’re going to have to sacrifice a little bit of anonymity, sacrifice a little bit of autonomy.”
To operate in the age of computers, agencies began granting privileges and elevated privileges to their employees, often failing to alter or revoke them when employees either left the agency or moved on to other positions. Additionally, employees could maintain those privileges no matter what job they performed, whether checking their email or reconfiguring a server. “And that problem of having too many privileges on an account is exactly what attackers target when they spear phish,” Ammon asserts. Spear-phishing attempts typically appear to come from an organization closely related to the target, such as particular companies with which employees interact on a regular basis. The hackers’ emails are sent to groups with common interests, jobs or characteristics. “More and more, they’re trying to target privileged users so that when they hijack the credential, they’ve also hijacked the keys to the kingdom.”
Studies have shown that 44 percent of administrative privileged users have access to their last job’s infrastructure, and 20 percent have access to two jobs ago, Ammon points out. “In this high-risk world we live in, how could it be that we find our way to not paying somebody after we terminated their employment, but we can’t see to get rid of somebody who can shut our entire infrastructure down, even though they’re two jobs down the road?” he asks.
The overarching CDM effort somewhat aligns with the mind-set of existing governmental programs that call for uniformity, such as Homeland Security Presidential Directive 12 issued in 2004 by President George W. Bush. The policy necessitated a mandatory, standardized method to create secure and reliable forms of identification for all government employees and contractors needing access to federally controlled facilities and networks.
But the established methods concentrated on certifications instead of the applicability of the technology. Devices needed to meet certain criteria to be certified, such as using proper encryption algorithms. Once certified, the system switch was turned on and rarely assessed again. “As it turned out, almost our entire approach for certification and accreditation was based upon looking at our security posture right before you turn the switch to the on position for a system and assessing its risk. And that’s it—the system would run for 10 years,” Ammon notes. “Anyone who owns a laptop or a mobile device, you see how many times updates pop up in your system, and it has to update its software for various reasons. The lesson learned is we have to do a continuous monitoring of these systems. We can’t just look at them and turn them on and assume nothing has changed.”
The CDM is not just about applying technology to address and fix a governmental problem. It also serves as an initiative that tests an evolving vision of federal leaders to revamp the burdensome acquisition process and find solutions that provide cost-effective yet valuable products. In essence, buying in bulk can make the product or service less expensive, which means that state, local, tribal and even territorial governments can make purchases off the CMaaS BPA and get the same consistency, pricing and speed of procurement available to the federal departments and agencies that sign on. For the CDM, the DHS partnered with the GSA to structure acquisition vehicles for the eligible departments and agencies. The Defense Department and intelligence communities, already steeped in cybersecurity efforts, are not eligible to participate in CDM funding earmarked for civilian departments and agencies.
So far, the DHS has signed memorandums of agreement with 63 agencies. The Office of Management and Budget (OMB) directs agencies to report on Federal Information Security Management Act (FISMA) metrics and Cross-Agency Priority goals using CyberScope, an application co-developed by the DHS and the Department of Justice to automate and standardize manual and automated data for FISMA compliance.
Participation in the DHS-funded CDM solicitations is voluntary, but the OMB requires agencies establish practicable plans to migrate to the GSA BPA after individual department or agency contract terms expire. So far, 15 agencies have obtained what is called a delegated procurement authority, under which they may use the GSA BPA directly. For those who sign on to receive earmarked funding, the OMB requires they submit an Information Security Continuous Monitoring strategy. Additionally, the Federal Information Security Modernization Act of 2014 establishes that the DHS, upon request by an agency, is charged with “deploying technology to assist the agency to continuously diagnose and mitigate against cyberthreats and vulnerabilities, with or without reimbursement.”