by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 2014
originally the CAG guidelines,” said Matt Brown, a vice president at Knowledge Consulting Group. Greg Kushto, director of the security practice at Force 3, said CDM builds on CAG. “It’s the same core idea,” he said. “It just keeps getting fleshed out and strengthened.” CDM also draws on NIST’s SP 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Infor- mation Systems and Organizations,” which was published in 2011. The DHS official said CDM is a way to implement the NIST document’s objective to “maintain ongoing aware- ness of information security, vulnerabilities and threats to support organizational risk management decisions.” The official said CDM supports and builds on the approach outlined in SP 800-137 by enabling agencies to buy strategically sourced tools and services, deploy dash- boards to identify vulnerabilities and defects in near-real time, and apply risk scoring to prioritize mitigation of the most significant problems and thereby reduce the likeli- hood of a disruptive or damaging cybersecurity event. Ross said SP 800-137 describes a broader continuous monitoring process of which CDM is a subset. He said continuous monitoring, as defined in NIST’s document, includes monitoring activities that are not necessarily subject to automation — for example, maintaining and updating a contingency plan for dealing with the after- math of a cyberattack. Nevertheless, Ross called CDM a large and comprehen- sive program that plays a critically important role. CDM’s wide-angle focus sets it apart from previous continuous monitoring initiatives, which emphasized vulnerability scanning and point-in-time snapshots of IT assets, said Mark Orlando, director of cyber operations at Foreground Security, a security consulting, training and services company. CDM, on the other hand, goes beyond scanning to incor- porate additional elements of governance and technical assessment. “We are seeing a significant expansion of scope,” Orlando said. The initial phase of CDM implementation, for example, covers managing configuration settings and continuous monitoring’s traditional focus on vulnerability manage- ment. Phase 1 also splits hardware and software asset management into separate tasks. Rob Roy, federal chief technology officer in HP’s Enter- prise Security Products division, said CDM’s software ori- entation marks a departure from previous efforts. He noted that traditional continuous monitoring never examined the government’s myriad applications to find and close vulnerabilities. “For the first time...CDM has added software vulner- abilities to the list,” Roy said. Kushto said continuous monitoring has typically focused on devices and operating systems. A scan might identify a server running Windows Server 2008 and then determine whether the BIOS was good and whether the operating system and patches were up-to-date. CDM, however, pushes monitoring to the application layer as well. “It’s not just the base layer — it is really anything on that box,” Kushto said. Subsequent phases of CDM will further expand its scope. Phase 2 will include access control and authentication management, while Phase 3 will cover event management. CDM also adds the use of dashboards. OMB requires agencies to submit security data gleaned from their CDM scans to a DHS-maintained dashboard, and agencies are expected to create their own dashboards to help them analyze and respond to vulnerabilities. CDM also offers agencies blanket purchase agreements for buying continuous monitoring tools. The GSA-admin- istered CDM Program Tools and Continuous Monitoring as a Service (CMaaS) BPAs provide access to diagnostic sensors and dashboard technology from 17 companies. Rick Roach, a senior vice president at Digital Manage- ment Inc., said he believes CDM will boost the adoption of CMaaS. He added that the level of continuous moni- toring adoption varies from agency to agency, but DHS is out in front. “DHS is really the first dot-gov agency to lead the charge in CDM implementation, and this is laudable,” Roach said. “With so many endpoints at the DHS HQ and agencies, no one else has done anything on this scale before, and I’m sure we’ll all learn a lot from the DHS effort.” The hurdles Cost has been one inhibitor to continuous monitoring. But it should help that DHS is making funds available for technology adoption as part of the CDM program. “DHS...put money on the table on behalf of government organizations to help them deploy the necessary products and services,” Ammon said, and the extra dollars will help agencies offset their investments in security technologies. He added that DHS is managing about $200 million in appropriated funds to support CDM’s three-phase rollout and the dashboard project. Kushto said DHS funds will help, but they won’t cover a complete CDM deployment. “Congress hasn’t allocated enough money to do all of this for everybody,” he said. “Agencies will need to supplement that [funding] with their own equipment and expertise.” ■ ExecTe c h 32 October 2014 FCW.COM
September 30, 2014
November and December 2014