by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : October 2015
“T he Continuous Diagnostics and Mitiga- tion (CDM) program is a dynamic approach to fortifying the cybersecurity of government networks and systems.” This scope statement, taken directly from the DHS CDM Web site, is a heavy lift for government enterprise. DHS has wisely taken a crawl, walk, then run approach to roll- ing out its Continuous Monitoring and Mitigation (CDM) program, so as not to overwhelm US government depart- ments and agencies. This three-phase strategy provides incremental, tangible real-world progress toward a safer and more secure government enterprise. Phase 1 of the CDM program focused solely on securing cyber infrastruc- ture and information systems. Phase 2 expands the scope of CDM to include fine-grained privilege management for both logical and physical resources and drives government departments and agencies (D/As) to align with the Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance. In Phase 3, CDM will limit physical access risk by focusing on centralized management for numerous dispa- rate and proprietary physical access control systems (PACS) deployed across D/As. This acknowledgement by DHS that both cyber and physical resources must be more holistically controlled to reduce and manage risk, embraces and mirrors similar guid- ance expressed four years earlier by the Federal CIO Council in the FICAM Roadmap and strongly reinforced in OMB Memorandum 11-11. PHASE 2 REQUIREMENTS Despite an increasing focus on protect- ing personal information and national secrets in the digital world, it is critical to also treat physical access controls with the same care as logical controls. There are still vulnerable and critical assets secured by locked doors that should only be available to privileged users. While government IT managers and CIOs are familiar with identity and access management (IAM) and logical access controls, implementing Phase 2 and Phase 3 will require much greater cooperation between CISOs in the CIO offices and the CSOs tasked with facil- ity (physical) security. DHS defines four functional tool areas in Phase 2: TRUST—Access Control Management (trust in people granted access) BEHV—Security-Related Behavior Management (such as training qualifications) CRED—Credentials and Authentication Management PRIV—Privileges (individually managing the lifecycle of access privileges for each person) Phase 2 focuses on least privilege management, using Attribute-Based Access Control (ABAC) in order to more appropriately limit access to only those resources necessary to accomplish one’s job. Achieving this goal requires integration with au- thoritative identity data sources, such as databases that support PIV card issuance, training, Active Directory, Attribute Exchanges and so on. This data is used to make policy based de- cisions regarding privileged access. The myriad proprietary physical ac- cess control systems (PACS) currently installed in government enterprises do not function this way. Ripping and replacing these PACS across the government enterprise to work like a cyber-system would cost billions of dollars, take at least five or more years and be incredibly disruptive to secu- rity operations and user experience. SHORT PRIMER ON PACS AND AS-IS PROCESSES Legacy PACS are based on a pre- determined access list (white list). This defines who has access to which door/portal in order to support their expected throughput. PACS are pre- programed through a collection of electro-mechanical end points. These end points must be provisioned in advance with the PIV card or other credentials and specific access authorizations for each credential. When a person presents a PIV card, the transaction to authenticate the PIV card at time of use and to see if that PIV card is authorized GUEST COLUMN SPONSORED REPORT DHS Moving on to CDM Phases 2 and 3 Agencies Incorporate Physical Access Metrics into Comprehensive Risk Management Mark Steffler Vice President Federal Practice Quantum Secure SYSTEMS DEVELOPMENT
September 30, 2015
November and December 2015