by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : February 2015
The government has gone all in on Continuous Diagnostics and Mitigation (CDM), a wide-ranging and ambitious program to guard agency networks against cyber threats. Run by the Department of Homeland Security, the program addresses 15 types of continuous diagnostics and pairs a dedicated acquisi- tion vehicle with expert guidance and even DHS dollars for agencies seeking to improve their monitoring. The first phase, which focuses on endpoint device secu- rity, has drawn widespread interest, and managers who have implemented CDM have said the system of dashboards pro- vides a revealing view of vulnerabilities — many of which had gone unnoticed under previous monitoring regimes. A big question looms over the future of CDM, however: Can the program accommodate agencies’ increasing demand for cloud computing and the Federal Risk and Authoriza- tion Management Program (FedRAMP) that was designed to accelerate the shift to the cloud? Why it matters It is a truism that bears repeating: Cyber threats to federal networks are a clear and present danger. In recent months, cyberattacks have hit agencies ranging from the Office of Personnel Management to the State Department. And although the structures and scopes differ greatly, CDM and FedRAMP share a broad goal: to use a standard- ized and repeatable security process to make damaging intrusions to federal networks significantly less likely. But absent a clear road map for coordinating the two initiatives, agencies risk adding compliance hoop-jumping and unnec- essary complexity to their cloud security efforts when the goal is to streamline and focus on risk. The fundamentals At the core of CDM is a contract vehicle that currently involves blanket purchase agreements with 17 vendors for a wide range of equipment and consulting and other services that contribute to a holistic view of network vulnerabili- ties. It provides agencies with a means to not only meet the continuous monitoring mandates that are part of the Federal Information Security Management Act, but to move beyond compliance-driven monitoring to the truly dynamic and risk-based approach demanded by a November 2013 Office of Management and Budget policy memo. FedRAMP is based in the General Services Administration and steered by GSA, DHS and the Defense Department. The program mandates agencies’ adoption of common cloud security standards and seeks to streamline that process by reusing the costly assessments and authorizations of various cloud services. It, too, is mandatory for all agencies, thanks to OMB’s December 2011 directive, and it has continuous monitoring provisions of its own. But integration with CDM is not explicitly part of the framework. The uncertain marriage of CDM and FedRAMP BY SEAN LYNGAAS Two vast risk management programs are gradually converging. How smoothly and quickly they can do so remains an open question. February 2015 FCW.COM 27 ExecTe c h “I think [continuous monitoring in FedRAMP is] solid. But it’s largely compliance-based. I’d like to make it more risk-based.” — Matthew Goodrich, director, FedRAMP 0215fcw_027-028.indd 27 1/27/15 9:20 AM
March 15, 2015