Improving Your Security Posture
with the Continuous Diagnostics
and Mitigation Program (CDM)
Industry Perspective
Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program
1
“The CDM program provides capabilities and tools that enable network
administrators to know the state of their respective networks at any given
time, understand the relative risks and threats, and help system personnel
to identify and mitigate flaws at near-network speed.”
Continuous Diagnostic and Mitigation (CDM) website.
1
Symantec Industry Perspective
Improving Your Security Posture with the
Continuous Diagnostics and Mitigation
Program (CDM)
As your agency continues to adopt new and innovative technologies, you must take the proper steps
to secure information. Since information networks
are becoming increasingly complex and connected,
there are more opportunities for information to
become compromised.
Now, more than ever before, you rely on safe, secure and efficient technology to meet mission
needs. That’s why the Department of Homeland
Security (DHS) has created the Continuous Diagnostic and Mitigation (CDM) program, which is an
important step for governments to improve their
security posture.
CDM supports civilian Federal agencies in becoming more secure, and deploy a cost-effective cybersecurity program. The CDM website states, “The
CDM program provides capabilities and tools that
enable network administrators to know the state
of their respective networks at any given time, un-
derstand the relative risks and threats, and help
system personnel to identify and mitigate flaws at
near-network speed.”
Undeniably, government leaders are challenged to
combat and mitigate new cyber attacks and threats.
Yet these attacks to government agencies are not
only growing in volume, but also in sophistication.
To assist in improving an agency’s security posture,
CDM will provide the tools needed to protect the
network, giving agencies the ability to monitor and
quickly mitigate day-to-day cyber attacks, protect
critical information, and improve risk management.
Throughout this report, we will explore what CDM
is and how it can help your agency. This report also
includes how to identify best practices and what to
consider when adopting CDM, through interviews
with two Symantec experts, Ken Durbin, the Cyber
and Continuous Monitoring Practice Manager, and
Jennifer Nowell the Director of Strategic Programs
for Public Sector.
Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program
2
EXPLORING THE
CONTINUOUS DIAGNOSTIC
MITIGATION (CDM) PROGRAM
The CDM program provides agencies the ability to
automate and enhance their monitoring capabilities
by providing diagnostic and mitigation tools along
with dashboards. DHS is currently working with
the Federal executive branch agencies to conduct
the following activities:
• Deploy and manage sensors for hardware asset management
• Deploy and manage sensors for software assets and whitelisting
• Mitigate vulnerabilities
• Set compliance standards
• Capture data about an agency’s cybersecurity
flaws
• Present those risks in an automated and continuously updated dashboard
3
The scope of the CDM initiative includes the
15 Functional Areas listed below:
1. Hardware asset management
2. Software asset management
3. Configuration management
4. Vulnerability management
5. Manage network access controls
6. Manage trust in people granted access
7. Manage security related behavior
8. Manage credentials and authentication
9. Manage account access
10.Prepare for contingencies and incidents
11.Respond to contingencies and incidents
12.Design and build in requirements policy and planning
13.Design and build in quality
14.Manage audit information
15.Manage operation security
According to the CDM site, “Capabilities are established at every level of the network, not just the
periphery, which gives agencies the ability to see
how effective their systems are. The first phase of
CDM focuses on four of the capabilities, management of hardware and software assets, configuration, and vulnerabilities.” The first phase will allow
your agency to create a baseline to measure the
effectiveness of your cyber defense program.
HOW DOES CDM WORK?
CDM is a powerful program that allows agencies
to expand their continuous monitoring capabilities
through increasing sensor capacity and automation,
and increasing risk awareness. The goal of the CDM
program is to scan networks once every 72 hours
to detect potential vulnerabilities or attacks. The
CDM website provides additional insights on how
the program works:
• First, agencies install and/or update their diagnostic sensors and the agency-installed sensors begin performing automated searches for
known cyber flaws.
• In a future phase of CDM, scanned results will
be fed into an enterprise-level dashboard that
produce customized reports, alerting IT managers to the most critical cyber risks. These reports will enable them to readily identify which
network security issues to address first, thus
enhancing the overall security posture of agency
networks.
GSA’S BLANKET PURCHASE
AGREEMENT FOR CDM
In order to participate in the program, the General Services Administration (GSA) and DHS have
used the GSA IT Schedule 70 as a contract vehicle.
The Continuous Monitoring as a Service (CMaaS)
contract provides CDM tools and integration services to all federal agencies, state, local, regional,
and tribal governments under a blanket purchase
agreement.
One important element of CDM is that if a civilian
government agency participates, the Department
of Homeland Security will pay for the cost of the
tools and integration. For fiscal year 2014 alone,
DHS has allocated $185 million to spend on CDM
tools and services. The Department of Defense,
intelligence community, and state, local, and tribal
government can also purchase from the CMaaS
contract to procure CDM solutions, but they must
use their own funding.
011101110111101010001010101
101011010101111011011111110
011101110111101010001010101
0010010101011010101Virus010
The goal of the
CDM program is to
101001010101101010101010110
scan networks once
001111010101111011011001110
every 72 hours to
detect potential
011101110111101010001010101
• Progress reports that track results can be
shared within and among agencies. Summary
information can feed into an enterprise-level
dashboard to inform and prioritize ongoing cyber risk assessments.
vulnerabilities or
attacks.
Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program
4
CDM RESOURCES FROM
AROUND THE WEB
This report provides a quick overview of the CDM program, but there are a lot of great resources around the
web describing the program as well. From our research,
we’ve pulled out the core documents for you to review,
and give you the need-to-know access to information.
DHS Press Release:
https://www.dhs.gov/blog/2013/08/13/major-step-forward-betterprotecting-federal-state-and-local-cyber-networks
GSA Contract Announcement:
http://www.gsa.gov/portal/content/176671?utm_
source=FAS&utm_medium=print-radio&utm_term=cdm&utm_
campaign=shortcuts
CDM Implementation:
http://www.dhs.gov/cdm-implementation
5 BEST PRACTICES WHEN
IMPLEMENTING CDM
Symantec’s CDM tools not only ensure compliance
with government cyber mandates, but also provide
the technology to leverage CDM to excel in mission goals. In our expert interview with Ken Durbin
he explained that adopting CDM solutions is more
than checking a box for compliance. Durbin explained, “If an agency implements CDM tools correctly, they are going to improve their cybersecurity posture. There’s just no doubt about it.” The
following are five best practices in order to fully
leverage the benefits of CDM.
5
Symantec Industry Perspective
1. OPERATE WITH A BROAD
VIEW OF CONTINUOUS
MONITORING
When imagined comprehensively, CDM can allow
an organization to determine if they are effective,
efficient, secure and compliant. The first step to
getting the most out of CDM is to visualize the
programs complete potential. This means having a
full view of what assets are on your network, and
being able to monitor them to spot abnormalities.
2. SECURE EXECUTIVE BUY-IN
Implementing CDM requires employees at all levels to understand the importance of cyber security measures. However, the decision to implement
CDM must be made at the top. Ultimately, it will be
the decision of the Chief Information Security Officer (CISO) to invest in a CDM solution.
The NIST Risk Management Framework recommends securing support from management, including the CISO, the CIO, and the department heads.
In order to fulfill the mandates of CDM, Durbin
said, “Upper level management has to decide that
CDM is going to be a priority, and are going to devote the time and resources to get it done and get
it done correctly.” Durbin warned, “If it’s just a CIO
that hands it off or passes it to an individual who
doesn’t have the authority to put any teeth behind
it, it’s either not going to be very successful or it’s
going to be window dressing to show compliance.
It’s doubtful they will see any improvement in their
overall cyber security.”
• Data Aggregation: Data collection occurs at
many different points, but the key is to bring that
data together into a single repository for your
agency to monitor compliance and effectiveness.
This provides valuable insights to your agency,
and can provide alerts of abnormal activity to
system administrators.
3. COLLABORATE IN
IMPLEMENTATION AND
COMPLIANCE
Once the CISO makes the decision to pursue
CDM, they will depend on their entire organization
to implement the program in order to meet compliance. Durbin said, “In a typical IT organization,
jobs are divided into areas of responsibility. One
area may focus on deploying and managing sensors,
another on compliance and another on reporting.
The CISO is going to rely on those people to find
out what he or she needs and understand his/her
environment and requirements.”
As you consider a solution that will best meet your
needs, it’s important to consider all the employees
and stakeholders engaged throughout the process.
Every stakeholder plays an essential role in bringing
value and security to your CDM solution. The various actors can be broken down into the following
categories:
• Sensor Deployment and Management:
These are employees within your agency who
are responsible for the implementation of the
sensors that track usage and produce data; the
data collected by the sensors will then be used
for network analysis.
• Reporting and Presentation: Once data
has been housed and framed into a single repository, information must be presented in a
way that is valuable and flexible to satisfy the
complex needs of the agency. The reporting and
presentation methods used will also need to
take into account additional compliance reporting, executive-level reporting and non-security
use cases to provide a full view of your agency’s
cyber program.
• Risk Based Decisions: Everyone from Chief
Information Officers to auditors require data
to make decisions regarding the effectiveness,
efficiency, security and compliance of a program. Decisions that affect an agency’s cybersecurity posture are made every day. If CDM is
implemented correctly, decisions can be made in
terms of risk priority, resulting in a more secure
IT environment and a better use of time and
resources.
4. KNOW YOUR MATURITY
LEVEL
For agencies, the maturity level of their IT organization will differ and require a different kind of
cyber security solution. In some cases, agencies will
just be getting started and in other scenarios, agencies will already be using certain aspects of CDM.
In order to adopt the right CDM solution, agencies
must assess their preparedness level.
Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program
6
Jennifer Nowell provided insights as to how agencies can know what solution is best for their needs.
“Agencies and organizations can understand their
maturity level if they use the NIST Risk Management Framework to assess where they are in the
life cycle,” said Nowell. Furthermore, she agrees
with DHS’s recommendation to start with the following first four Functional Areas:
nually to the public by the Office of Management
and Budget (OMB). “Every year DHS produces a
document that defines a set of Cyber Security metrics. An agency can use the metrics as a guide to
plan that year’s cyber security efforts. Each agency
submits a monthly, quarterly and annual report to
DHS that documents their progress against the defined metrics,” said Durbin.
1. Devices: An agency should know if a new device has come into the environment, what that
device is, and where it is located. Nowell said,
“You can’t secure what you can’t see.”
The OMB uses this data to produce a “scorecard”
that ranks each agency according to how well they
have met each metric. This is commonly known
as the “FISMA Scorecard.” “The Scorecard details
where an agency has succeeded as well as where
they have missed the mark. It’s actually a good
tool for planning next year’s security efforts,” said
Durbin. For more insights on the federal governments goals, be sure to visit the following links:
2. Inventory: Agencies should maintain an inventory of the software operating in their environment. This ensures that software can be
patched appropriately or defended when no
patches are available.
Cross Agency Priority Goal:
3. Configuration: Defining baseline configurations shows what the system should look like
and makes it easier to determine if anything in
the baseline configuration has been changed.
Q3 Status Goal: http://technology.performance.gov/initiative/
ensure-cybersecurity/home
Improving Cyber Security:
http://technology.performance.gov/initiative/ensure-cybersecu-
4. Vulnerability: Agencies must focus on vulnerability management by keeping up with
emerging threats.
Nowell advised that prior to implementing a CDM
solution, it’s essential to know your organizational
needs. “Depending on what your agency’s needs
are, this could mean purchasing a tool that removes
current vulnerabilities, analyzing gaps in protection
or creating a dashboard to make better security
decisions,” said Nowell.
5. DEFINE METRICS
The government has defined IT Security metrics
that help agencies prioritize their cyber security
efforts. These metrics are tracked and reported an-
7
Symantec Industry Perspective
rity/home
These five best practices are just the start of your
journey to adopt a CDM solution. CDM provides
you the opportunity to drastically improve your
awareness of network vulnerabilities and threats,
affording you the ability to mitigate cyber threats.
You now have a choice. Your agency can simply
implement the minimum requirements to fulfill
compliance, or you can implement a CDM solution that will transform your operations. CDM will
increase your security, productivity, and efficiency
when paired with the right tools and best practices.
ABOUT SYMANTEC
Symantec protects the world’s information, and is the global leader in security, backup and availability solutions. Their innovative products and services protect people and information in any environment – from
the smallest mobile device, to the enterprise data center, to cloud-based systems. Their industry-leading
expertise in protecting data, identities and interactions gives their government customers confidence in a
connected world. More information is available on Symantec’s GovLoop Page.
For more information about this report, please reach out to Pat Fiorenza, Senior Research Analyst, GovLoop,
at pat@govloop.com, or follow him on twitter: @pjfiorenza.
Improving Your Security Posture with the Continuous Diagnostics and Mitigation Program
8