Security is not a one-time event: Everyone knows it takes constant monitoring to detect and shore up weaknesses, find and patch vulnerabilities, and stay on top of constantly evolving threats. This requires time, expertise, tools and money — but help is at hand.
The U.S. Department of Homeland Security administers the Continuous Diagnostics and Mitigation program to provide stakeholders with commercial off-the-shelf tools to help ensure adequate, risk-based and cost-effective cybersecurity. This multiyear program offers a phased approach to deploying technology, along with a procurement vehicle to support the effort.
Here is an explanation of what CDM is, why it’s a good idea, how it works and some lessons learned.
What Is the DHS CDM Program?
CDM is a contracting vehicle available to state, local and tribal governments providing both a methodology and a cost-effective way to purchase tools to identify, prioritize and mitigate cybersecurity risks. (CDM Tools SIN 132-44 is a contracting solution through the General Services Administration’s IT Schedule 70 offering approved products at an advantageous price.)
The program presents a four-phase implementation approach, starting with determining what is on the network and who is on it, then what activities are being undertaken, and finally focusing on the data itself. Each stage identifies and prioritizes vulnerabilities and configuration compliance issues.
Why Should State and Local Agencies Deploy CDM?
Congress established the DHS CDM program to enhance the ability of governments at every level to identify and mitigate the effects of increasingly severe and newly emerging cybersecurity threats. While agencies should address risks on an ongoing basis, the reality is that budgets are stretched thin and expertise is scarce. CDM aims to help fill those gaps.
Prioritization is key to mitigating the most significant problems first. Thus, the program provides not only easy access to cybersecurity tools but also a methodology that helps agencies and organizations make the best use of resources. The Homeland Security Department describes the program as being the best bang for the buck, supporting risk-based decision-making for resource allocation.
How CDM Works to Enhance Cybersecurity
Participants in the program can acquire commercial off-the-shelf tools through blanket purchase agreements following a phased approach that builds a solid foundation for ongoing risk identification and mitigation.
In phase one, organizations can acquire tools to assess what hardware and software assets they have. They also determine which vulnerabilities are present and identify anti-virus and patch management software that might help protect their systems.
Once state and local agencies have identified hardware and software assets, phase two comes into play. This phase focuses on the users: Who is on the network? What privileges do they have? What are they authorized to access? What are they doing? To help in this regard, CDM provides tools to administer access control and credential and authentication management to allow only authorized users on the network.
Phase three builds on the answers to who and what is on the network by looking at activities in terms of boundary protection and events. This involves perimeter components, data at rest and in motion, and user behavior and activities. This phase includes tools for network access control, packet and content filtering, data loss prevention and forensic analysis.
Phase four focuses on the data — the heart of the matter. A variety of sensors and other products help organizations continuously identify risks, prioritize them and perform mitigation on the most important ones as data is accessed or manipulated. Solutions include digital rights management, data masking, enhanced encryption, enhanced data loss prevention, micro-segmentation and mobile device management.
CDM Adoption Best Practices to Follow
Confronting the massive volume and increasing sophistication of cyberattacks is a daunting task, but the CDM program makes the effort easier and more cost-effective.
The phased approach presented by CDM helps to break tasks into manageable chunks that can be performed in a measured way utilizing the available budget and workforce. During the years since the program’s introduction, several important lessons have surfaced:
Lesson One: Pay attention to phase one, the foundation.
It’s difficult for even small agencies to fully understand what assets they have and whether they are protected. On example: The city of Memphis chose BeyondTrust Retina to monitor and protect its infrastructure, taking a more proactive approach to vulnerability management. Retina was able to locate assets across a large, diverse IT environment. The most important vulnerabilities were prioritized for immediate remediation, helping teams focus their efforts.
Lesson Two: Choose wisely; some solutions can do double duty.
The state of Missouri, with 40,000 employees across 100 locations, chose Forescout CounterACT to address phase one. The state didn’t know how many devices were on the network, but the product gave instant visibility into a wide variety of networked devices, including industrial control systems and heating, ventilation and air conditioning. Benefits continued in phase three with network access control and auto- remediation of noncompliant devices.
Lesson Three: Build support across departments.
CDM often requires the support of multiple departments, as IT systems cross departmental spaces and boundaries. Identify key stakeholders and get their buy-in early in the process by explaining the benefits of a more comprehensive view of risk. For example, combining vulnerability data with privileged identity and password management intelligence leads to better situational awareness when prioritizing risk reduction and remediation.