by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : February 2015
Key challenges The first hurdle in the marriage between FedRAMP and CDM is a fundamental one: The latter’s complex structure, which includes a phased model for agency rollouts and types of monitoring, makes wedding it to FedRAMP no easy task. Officially, all agency cloud projects are now supposed to be FedRAMP-compliant (though there is no clear penalty for missing the June 2014 deadline). CDM is still barely into the second of its three phases. Attention shifted to key components such as access control, credentials and boundary protection — all integral to FedRAMP’s require- ments — only last summer. FedRAMP, meanwhile, also continues to evolve. A draft baseline for cloud computing systems that require security at FISMA’s high-impact level was released on Jan. 27, and better continuous monitoring is one of nine strategic goals in the two-year road map that FedRAMP Director Matthew Goodrich outlined at a Jan. 22 event sponsored by FCW. The continuous monitoring that is currently part of FedRAMP is good, Goodrich said, adding, “I think it’s solid. But it’s largely compliance-based. I’d like to make it more risk-based.” FedRAMP and CDM “already align programmatically and will continue to grow strategically in the same path to move continuous diagnostics and mitigation programs to the cloud,” a GSA spokesperson told FCW via email. “Privacy concerns prevent a complete marriage between the two, but [do] not impede progress.” Just what are those privacy concerns? Goodrich said the union of FedRAMP and CDM means dealing with blurred lines between government and private-sector assets. “When you’re looking at rolling up reporting into a dashboard with government data, there are a lot of legal and policy and privacy implications for that for private-sector companies versus government assets,” he told FCW. According to Nick Son, Coalfire Public Sector’s manag- ing director for technology advisory and assessment ser- vices, “It’s really about the data input. We need to make sure that the monitoring information [FedRAMP requires] is formatted and standardized” so that it can flow into the CDM program. There is also the small matter of scale. As Tom DeBiase, chief information security officer at DHS’ Immigration and Customs Enforcement, said in October, when his agency took inventory of endpoint devices for CDM’s first phase, “we had a lot more technology than we realized.” n Next steps The extent to which the Continuous Diagnostics and Mitigation program can benefit from industry-provided cloud services depends on clearing up some ambiguities, vendors say. Ken Durbin, manager of Syman- tec’s Continuous Monitoring and Cybersecurity Practice, said it might take time for industry and govern- ment to get on the same page when it comes to CDM and the cloud. “I have a concern that [the Department of Homeland Security and General Services Administra- tion] may be assuming that vendors have products teed up, ready to go, to be delivered as a service,” he said in an interview. “They may or may not, depending on how ‘as a service’ is defined.” If DHS were to publish its vision of “as a service” for industry feed- back, the two sides could come closer together, he added. When it began, “the CDM pro- gram didn’t really come out with [the cloud] as part of its thought process,” said Ken Ammon, chief strategy officer at Xceedium. “They started that process before cloud and FedRAMP really had moved forward.” Ammon said that if a product is already deployed through the CDM contract vehicle, there is no way to price additional cloud- computing capacity into the con- tract. As a result, vendors have so far not “been able to bring their cloud security components to the [CDM] vehicle.” “The biggest challenge that I’ve seen — considering that both [pro- grams] are supposed to be advanc- ing security — is that the buyers of FedRAMP-approved services still, I think, have a huge gap in their understanding of what their respon- sibilities are and will continue to be when implementing and utilizing those cloud services,” he added. One of the next signals from government to industry on CDM and the cloud might come from the National Institute of Standards and Technology. It is developing a Cloud Risk Management Framework that will offer detailed guidance on the security risks posed by cloud computing. Although the guidance might not specifically mention CDM, its language covering the broader topic of “continuous monitoring” would apply to CDM, said Kelley Dempsey, a senior information security spe- cialist at NIST. The agency generally likes to keep its guidance broad rather than issuing technology-specific docu- ments, but the multitude of applica- tions for cloud computing prompted NIST to develop cloud-specific guidance, which will probably be released by the end of the summer, she said. — Sean Lyngaas 28 February 2015 FCW.COM ExecTe c h 0215fcw_027-028.indd 28 1/27/15 9:20 AM
March 15, 2015