DHS's CDM Program Moves to the Next Phase: Protection
From Russian and Chinese hackers to WikiLeaks and North Korea, nefarious actors have long targeted federal systems, looking to steal sensitive national security information and disrupt government activities. But as agencies answered these threats, IT shops found they simply didn’t have the technical tools or sophistication to defend themselves.
In response, the Department of Homeland Security (DHS) created in 2013 a governmentwide program called Continuous Diagnostics and Mitigation (CDM). The program consists of four phases of activity designed to provide network administrators with real-time information about the state of their networks, to describe the relative risk of specific cybersecurity threats, and to make it possible for agencies to rapidly identify and mitigate vulnerabilities.
Each phase is designed to answer specific questions:
- Phase 1: What is on the network?
- Phase 2: Who is on the network?
- Phase 3: How is the network protected? What is happening on the network?
- Phase 4: What role exists for emerging tools and technologies?
Managing the rollout of the program requires DHS and other agencies to invest in technical infrastructure as well as personnel. Today, agencies are working to build and operate the controls associated with the first two phases while DHS prepares the guidance for the third phase, expected later this year.
Deny Unauthorized Network Access
While DHS has not released detailed documentation for any of the CDM Phase 3 technical functional areas, a March 2016 draft of the network access control requirements provides a glimpse of what lies ahead for agencies. This set of requirements, known as BOUND, is designed to reduce inappropriate access to networks, systems and data. It consists of three major factors: filtering technology (BOUND-F), encryption (BOUND-E) and physical access protection (BOUND-P).
BOUND-F provides government agencies with instructions on enacting firewalls and other gateways that sit at the boundaries between networks of differing security levels. The goals of this subsection are to deny unauthorized access without disrupting authorized users, to prevent malware and undesirable content from entering the trusted network, and to limit the transmission of sensitive information out of the trusted network. To do this, agencies would rely on packet filtering, proxies, content filtering, network access protection, email boundary protection, web boundary protection and data loss prevention.
Identify Configuration Errors to Enhance Cryptography
BOUND-E details how agencies should deploy cryptography to protect credentials, data at rest and data in motion from unauthorized access.
Cryptography is a powerful security control when properly implemented, but small configuration errors can create significant security vulnerabilities. The BOUND-E controls are designed to help agencies quickly identify misconfigurations in hardware and software to prevent agencies from inadvertently introducing these vulnerabilities. Agencies that plan to reach these goals will use technologies such as encryption, hashing, key management, certificate authorities and digital signatures.
The final section, BOUND-P, covers the monitoring and management of physical access controls. As DHS notes, most people associate physical security control with “guards, gates and guns,” but agencies often neglect the digital infrastructure associated with these controls. Guards, gates and guns are most effective when supported by systems that offer. These core physical access control systems often fall into disrepair and jeopardize agency security. BOUND-P is designed to ensure agencies can verify the confidentiality, integrity and availability of these physical access control systems.
Agency IT staff and government contractors should review the details of the draft BOUND requirements. In addition to providing a high-level overview of each area, the document offers considerable detail on design strategies for both BOUND-F and BOUND-E. Details on BOUND-P are forthcoming.