Professional Documents
Culture Documents
com)
in government agencies is the best model for how it might look in CDM, Ammon
related.
Other important aspects of privileged access are behavior management and user
privileges. Ammon noted that many times breaches occur it's because a user has the
same system identity for low-security needs like email and high-security needs like
database management.
By giving users separate identities and giving those identities user privileges
specifically for what they need and nothing more, DHS will be able to get out in front
of attack vectors like phishing emails and malware infections.
An employee "should have two identities and roles within the organization. She
should have her work role where she's checking email, hitting a website on the
internet, doing her day-to-day activity and she should have a really separate, wellthought-out process for logging in to do any sort of mid-system management,"
Ammon explained.
A benefit of the PIV card system, though, is that both roles can be accessed with the
single authentication token.
"Now, at the end of the day, you want her to only use that single token. You want it to
just be a single PIV card and identity. But you want the backend process and access
method to be completely separate," Ammon added.
A phased approach
As noted, CDM is being developed in phases, with defined diagnostic capabilities in
each:
According to Ammon, the phases were developed less for a strategic roadmap and
more to meet congressional funding timelines.
"The phased approach really isn't CDM, it's fabricated by DHS to get through a
process to get them the tools they need, to get reporting from government agencies
and departments," said Ammon.
The 'two CDMs' a continuous diagnostics system and a contract vehicle
The complete CDM system may not be fully operational for some time. With Phase 2
entering the contract award period, and Phase 3 only on paper, the system as it stands
only has limited effectiveness.
Ammon argued that this was a necessary part of the process, as cybersecurity
vulnerabilities require as much action as fast as possible, rather than waiting until the
system is complete. "The last thing I would want to see is government to have a five
to seven-year program where all the thinking was done five to seven years ago," he
said. "In security, especially, you need to be adaptive."
But even so, CDM offers more than just the finished security system. Tied into the
system is a broad acquisition vehicle established by DHS along with the General
Services Administration.
This blanket purchase agreement, or BPA, allows not only federal agencies, but also
state, local and tribal government entities, to purchase tools that have contracts for the
CDM, without having to conduct a quotation and contract process of their own.
Ammon noted that many state governments are very excited about this option, and he
suggested even more would be if they better understood what was available to them
through the BPA. State governments, generally speaking, have far more modest
resources than the federal government, and often don't have the in-house talent to
evaluate and improve upon their cybersecurity environments.
"State and local government has taken a beating from a cybersecurity perspective
right now. They're one of the main targets for this ransomware," Ammon said. "So I
do think there's a big opportunity for awareness in that this capacity is something that
state and local governments can access, but I largely think they don't even know it's
here or understand how to approach it."
Ammon said he hoped even before CDM is completed, that the contract vehicle would
take on a life of its own, allowing government bodies of all types to browse the CDM
"tool catalog" to improve their IT systems.
"From a state and local perspective, there is no Phase 1, 2 or 3. They just need help,"
he said.
For more:
- check out the CDM website
- learn about the BPA
Related Articles:
Stovepipes at DHS stymie cybersecurity efforts, says Johnson
DHS touches nearly every aspect of Cybersecurity National Action Plan, says Johnson
GAO to DHS: Intrusion detection system fails to meet expectations
Source URL: http://www.fiercegovernmentit.com/story/dhs-continuous-diagnosticsand-mitigation-system-nearing-completion-phase-2/2016-05-11