Published on FierceGovernmentIT (http://www.fiercegovernmentit.

com)

DHS' Continuous Diagnostics and Mitigation

system nearing completion of Phase 2
May 11, 2016 | By Eli Richman
The Department of Homeland Security is closing in on contract awards for the second
phase of its Continuous Diagnostics and Mitigation system. Since the department
launched Phase 2 last year, it has so far issued a request for quotation and taken
submissions, so contractors are expecting award announcements any day.
The Continuous Diagnostics and Mitigation program, or CDM, is an approach started
by DHS to increase agencies' network security through commercial off-the-shelf tools.
Phase 1 consisted of tools for asset and vulnerability management, while Phase 2 will
cover privileged access management and access controls. But even before all three
phases are completed, agencies can use CDM as a contract vehicle to purchase tools
that were contracted for the full system.
Privileged access
A large part of Phase 2 will comprise the introduction of "PIV cards," which
authenticate a user's identity. PIV cards and identity controls provided by Xceedium,
now owned by CA Technologies, are already in use by many government agencies,
who use the technology to provide authenticated access for both modern systems like
the cloud and legacy systems.
"By using our platform, [agencies] were able to bridge these smart cards, PIV and
CaC authentication methods, to next generation systems like cloud and virtualization,
as well as legacy systems like mainframes and classic work stations," explained Ken
Ammon, senior advisor at CA Technologies, formerly of Xceedium, in an interview
with FierceGovernmentIT.
CA Technologies won't necessarily be providing the PIV cards and identity controls
for CDM the award has yet to be announced but in any case, the existing solution

in government agencies is the best model for how it might look in CDM, Ammon
related.
Other important aspects of privileged access are behavior management and user
privileges. Ammon noted that many times breaches occur it's because a user has the
same system identity for low-security needs like email and high-security needs like
database management.
By giving users separate identities and giving those identities user privileges
specifically for what they need and nothing more, DHS will be able to get out in front
of attack vectors like phishing emails and malware infections.
An employee "should have two identities and roles within the organization. She
should have her work role where she's checking email, hitting a website on the
internet, doing her day-to-day activity and she should have a really separate, wellthought-out process for logging in to do any sort of mid-system management,"
Ammon explained.
A benefit of the PIV card system, though, is that both roles can be accessed with the
single authentication token.
"Now, at the end of the day, you want her to only use that single token. You want it to
just be a single PIV card and identity. But you want the backend process and access
method to be completely separate," Ammon added.
A phased approach
As noted, CDM is being developed in phases, with defined diagnostic capabilities in
each:

Phase 1, Endpoint Integrity: Hardware asset management, software asset

management, configuration settings management and vulnerability
management
Phase 2, Least Privilege and Infrastructure Integrity: Access control
management, security-related behavior management, credentials and
authentication management, and privileges
Phase 3, Boundary Protection and Event Management for Managing the
Security Lifecycle: Plan for events, respond to events, generic
audit/monitoring, document requirements and policies, quality management,
risk management and boundary protection.

According to Ammon, the phases were developed less for a strategic roadmap and
more to meet congressional funding timelines.
"The phased approach really isn't CDM, it's fabricated by DHS to get through a
process to get them the tools they need, to get reporting from government agencies
and departments," said Ammon.
The 'two CDMs' a continuous diagnostics system and a contract vehicle
The complete CDM system may not be fully operational for some time. With Phase 2
entering the contract award period, and Phase 3 only on paper, the system as it stands
only has limited effectiveness.
Ammon argued that this was a necessary part of the process, as cybersecurity
vulnerabilities require as much action as fast as possible, rather than waiting until the
system is complete. "The last thing I would want to see is government to have a five
to seven-year program where all the thinking was done five to seven years ago," he
said. "In security, especially, you need to be adaptive."
But even so, CDM offers more than just the finished security system. Tied into the
system is a broad acquisition vehicle established by DHS along with the General
Services Administration.
This blanket purchase agreement, or BPA, allows not only federal agencies, but also
state, local and tribal government entities, to purchase tools that have contracts for the
CDM, without having to conduct a quotation and contract process of their own.
Ammon noted that many state governments are very excited about this option, and he
suggested even more would be if they better understood what was available to them
through the BPA. State governments, generally speaking, have far more modest
resources than the federal government, and often don't have the in-house talent to
evaluate and improve upon their cybersecurity environments.
"State and local government has taken a beating from a cybersecurity perspective
right now. They're one of the main targets for this ransomware," Ammon said. "So I
do think there's a big opportunity for awareness in that this capacity is something that
state and local governments can access, but I largely think they don't even know it's
here or understand how to approach it."
Ammon said he hoped even before CDM is completed, that the contract vehicle would
take on a life of its own, allowing government bodies of all types to browse the CDM
"tool catalog" to improve their IT systems.

"From a state and local perspective, there is no Phase 1, 2 or 3. They just need help,"
he said.
For more:
- check out the CDM website
- learn about the BPA
Related Articles:
Stovepipes at DHS stymie cybersecurity efforts, says Johnson
DHS touches nearly every aspect of Cybersecurity National Action Plan, says Johnson
GAO to DHS: Intrusion detection system fails to meet expectations
Source URL: http://www.fiercegovernmentit.com/story/dhs-continuous-diagnosticsand-mitigation-system-nearing-completion-phase-2/2016-05-11