FACE DOWN CYBERTHREATS WITH CDM INSIDE P2 CDM ROLLOUT PRESSURED BY INCREASING THREATS P3 WHAT S NEXT FOR CDM? P4 ALLIANT GWAC USED FOR SOME CDM NEEDS

Transcription

1 ONLINE REPORT SPONSORED BY: FACE DOWN CYBERTHREATS WITH CDM INSIDE P2 CDM ROLLOUT PRESSURED BY INCREASING THREATS P3 WHAT S NEXT FOR CDM? P4 ALLIANT GWAC USED FOR SOME CDM NEEDS P5 PHASE 3 REQUIREMENTS FINALLY EMERGE P6 SUPPORT, SIGNATURES AND POLICIES WILL MATTER

2 CDM ROLLOUT PRESSURED BY INCREASING THREATS Sophisticated attacks on several agencies accelerate urgency of CDM program. T he Department of Homeland Security s Continuous Diagnostics and Mitigation (CDM) program was first launched several years ago. This was a major factor in the push to strengthen the overall security of government IT. Events of the past year have only increased the pressure for a faster rollout. There were several sophisticated attacks on government agencies this year, but the most damaging was clearly the one suffered by the Office of Personnel Management (OPM). It was officially reported by the agency in June Analysts now suspect it may have been present in OPM networks for at least a year prior to that, however, and perhaps even longer. By the time all attack assessments were complete, more than 20 million federal employee records are thought to have been compromised. Attacks at the Internal Revenue Service and other agencies also recently exposed hundreds of thousands of records. Attacks on the Rise In a recent report on the progress of the Federal Information Security Modernization Act (FISMA), the Office of Management and Budget (OMB) states that despite unprecedented improvements in securing federal information resources in FY 2015, greater numbers of attackers still managed to get into government networks and systems. Agencies reported more than 77,000 incidents, representing a 10 percent increase over the previous year. The OPM attack was suspected to have been launched by a Chinese, state-sponsored hacking group using OPM employee access credentials obtained through a phishing exploit. Part of the CDM program is designed to combat precisely that type of attack, providing agencies with tools to improve access controls. The CDM program was originally expected to deliver those tools to agencies by the end of Given the nature and extent of the 2015 breaches, though, and the expectation that those types of attacks will only increase in number and severity, this may not be fast enough. In an April 7 letter to Shaun Donovan, director of the OMB, Sen. Tom Carper (D. Del), ranking member of the Senate Committee on Homeland Security and Governmental Affairs, says that while federal agencies are under a constant, yet evolving threat from cyberattackers, flaws in the federal acquisition process can limit the tools agency defenders can obtain to counter these threats. In terms of the CDM program, he says, agencies can partner with the Department of Homeland Security (DHS) to deploy cybersecurity tools and services while saving taxpayer dollars by leveraging government-wide buying power and buying in bulk. It s starting to deliver those tools and services directly to agencies. The slow pace of the CDM program rollout has been a concern of many people almost from the beginning. In an interview on a comprehensive 2014 report put out by the SANS Institute, John Pescatore, director of emerging security trends at SANS, points out that from the procurement side; it s harder than it should be for agencies to buy tools from the CDM program. The bottom line is that capabilities are badly needed by government agencies, he says, but (the program) is not moving quickly enough. DHS secretary Jeh Johnson, in his final state-ofthe-agency speech earlier this year, says the program has provided needed sensors to some 97 percent of the civilian agencies during In 2016, he says, the second phase of the program will focus on providing tools to manage access privileges and device configuration to 100 percent of the federal civilian government. 2

3 WHAT S NEXT FOR CDM? I f the Department of Homeland Security s Continuous Diagnostics and Mitigation (CDM) program is as broadly implemented across federal agencies as was originally intended, government agencies should have far more sophisticated cybersecurity defenses in place over the next couple of years. That is still not a guaranteed outcome, however. The tools and services that will form the technology bedrock could most likely be in place, or at least getting to that point, by the end of There s still a lot of work to be done after that, though, to integrate those tools with agency networks and systems and deliver the right kind of data. The $6 billion CDM program was set up to be implemented over a five-year period starting in 2013, in three distinct phases: Endpoint integrity: The scope of this is the local computing environment. It focuses on identifying and managing agency hardware and software assets, listing known vulnerabilities and malware, and managing device configuration. Least privilege and infrastructure integrity: This is focused more on the people involved, managing their account and network privileges, and the configuration of network infrastructure devices and services. Boundary protection and event management: This encompasses such functions as event detection and response, encryption, remote access management and access control. It s aimed at ensuring security is built into networks, instead of being added on later as an after-thought. The tool delivery aspect of the first phase is more or less complete. Department of Homeland Security (DHS) secretary Jeh Johnson says the sensors needed for that phase had reached nearly all of the civilian agencies who had signed on to the CDM program by the end of The second phase, initially expected to be done in 2017, will get tools and services to 100 percent of agencies in 2016, he says, though bids covering the four functional areas of Phase 2 were only just due on March 30. In the meantime, the Defense Department is actually implementing its own CDM program. Awards for the eleven task areas needed to support agencies in installing, operating and managing the tools, and getting data from them to CDM user dashboards, are also in progress. There are several already made. Phase 3 requirements are still being ironed out. It covers seven of the program s overall 15 functional capabilities: Plan for Events Respond to Events Generic Audit/Monitoring Document Requirements, Policy, and so on Quality Management Risk Management Boundary Protection (Network, Physical, Virtual) In March 2016, the DHS issued initial draft requirements for boundary protection, listing Manage Network Filters and Boundary Controls (BOUND-F), Encryption (BOUND-E) and Physical Access Control Systems (BOUND-P) as the three boundary protections functions to be covered. Under the CDM program goals, all three phases need to be implemented in order to provide the kind of pervasive security envisioned by the Obama Administration and Congress. Not only would each agency be covered, but agencies would be able to share information about incidents, and coordinate with each other over a standardized security infrastructure. The first two phases aren t really meant to improve agencies security posture by themselves, says Ken Ammon, a senior advisor with CA Technologies. They re intended to improve agencies visibility into their networks and systems. It will also help them come up with plans that would improve security. However, he says, simply by virtue of what phases one and two bring (in terms of discovery of assets and vulnerabilities) that means agencies will have a significantly better security posture just by putting that better reporting in place. 3

4 ALLIANT GWAC USED FOR SOME CDM NEEDS T he Department of Homeland Security (DHS) took a different route with the last group of agencies covered under the second contract task order. It opted for a shared services strategy, instead of the direct order approach using the GSA BPA as it did with the previous five groups. GSA s Alliant government-wide acquisition contract (GWAC) will cover task order 2F, released in December This is a 10-year contract with a $50 billion ceiling awarded in May 2009 to replace several of GSA s expired GWACs. It supports a variety of IT services programs, and has proven particularly attractive to agencies looking for new and emerging technologies. Groups A through E cover either single large agencies or a number of mid-size agencies. Group F pools 42 of the remaining smaller agencies. This includes organizations such as the American Battle Monuments Commission, the Federal Trade Commission and the U.S. International Trade Commission. The needs of these agencies to comply with CDM program requirements vary widely. Many of them have little infrastructure in place and few IT resources. These agencies will be able to choose from any of the 80 or so vendors who hold Alliant contracts to fulfill their CDM needs. The other five groups awarded individual task order contracts under the GSA BPA to Knowledge Consulting Group, Booz Allen Hamilton (which was awarded two of the task order contracts), HP Enterprise Services and Northrop Grumman. In another departure from the norm, the agencies in Group F will be able to cover needs for both Phases 1 and 2 as a way of making up lost time in issuing the task order. Other groups of agencies will buy only tools and services to meet requirements for Phase 1 of the CDM program. The Alliant contractor shall design, build and operate a CMaaS (continuous monitoring as a service) solution for the agencies in Group F, states the task order RFP. The solution will include all necessary tools, sensors and integration support services. Secure shared services will be the platform for delivering these. That shared services solution must recognize and incorporate the IT governance models at participating agencies [that] may or may not have a centralized acquisition model, the RFP says. Small agencies may also leverage shared acquisition offices for cost savings purposes or utilize a centralizedlike model without having the benefit of an official acquisitions office. The GSA s Federal Systems Integration and Management Center expects this CDM shared service platform to yield significant benefits. The task order also says all tools and sensors have to be bought off the BPA contract, and provided for the 2F task order with no markup or fee beyond the purchase price. The GSA s Federal Systems Integration and Management Center (FEDSIM), which issued the task order, expects this CDM shared service platform to yield significant benefits for those Group F agencies. Those benefits will include cost savings, reduced impacts to infrastructure and reliable service levels, along with the intended security improvements. There had been earlier speculation that if the Group F task order were to use shared services, any viable solution to use that kind of a platform may also be used by vendors to deliver Phase 2 capabilities to Group A through E agencies. However, FEDSIM executives have shot that down. This is really about the unique requirements [for Group F] and how we are going to deliver something for that, says Chris Hamm, FEDSIM director, at a 2015 Federal Computer Week CDM conference. I don t see future activity moving outside of that. 4

5 PHASE 3 REQUIREMENTS FINALLY EMERGE W hile the entire Continuous Diagnostics and Mitigation (CDM) program is aimed at boosting the security of government agency IT, the contract itself can be separated into two primary areas of operational significance. Phase 1 and 2 provide the tools and services agencies will need to manage their hardware and software assets. Phase 3 is where this baseline capability data will help with security improvements. Managing network access controls will be a major part of those improvements. A first look at that came in March 2016 with the publication of detailed functional requirements for what the Department of Homeland Security (DHS) calls N-BOUND tools. These are sensors and other tools needed to monitor and manage both physical and logical access to department and agency networks and data. The draft addresses three requirements: BOUND-F: To monitor and manage network filters and boundary controls BOUND-E: To monitor and manage encryption (more generally defined, according to the document, as cryptography mechanism controls) BOUND-P: To monitor and manage physical access controls These boundary protection functions all have cross capability functions both within the BOUND application and other CDM tools. For example, BOUND-F tools employ encryption using data gathered by CDM sensors to describe attributes used for BOUND-E policies. BOUND-F network filters include firewalls and gateways that sit between various regions a network, such as a trusted internal network and a less trusted external network. The goals of these boundary devices include limiting or denying access by unauthorized users while simultaneously allowing access by authorized users; preventing undesired software such as viruses and other malware from getting into the trusted network; preventing undesired content from getting into the trusted network; and preventing, limiting, or monitoring the exfiltration of sensitive data or applications from the trusted to the less trusted network. BOUND-E is aimed at providing greater visibility into the risks associated with various cryptographic devices and mechanisms used on an organization s network. Failures at this level are behind many of the recent security breaches at government agencies. The BOUND-E function is divided into a cryptography category, which covers encryption techniques as well as monitoring and managing cryptographic keys and certificate authorities. The draft document also briefly examines requirements for BOUND-P, basically those needed to collect and verify all authentication and access control lists used to get authorized people through doors and gateways. DHS says more details on BOUND-P will come later. The document also mentions what it calls special considerations required for Internet-based connections to government-mandated security programs such as EINSTEIN. The EINSTEIN program provides integrated intrusion detection and prevention for agencies and Trusted Internet Connection (TIC), through which agencies can optimize external connection security. The latter two are important elements since the intent is for government to complement and eventually integrate CDM with these types of capabilities. While that would also stop many of the more common types of attacks hitting agency networks, the N-BOUND tools are aimed directly at the sort of advanced persistent threat (APT) attacks recently used against the Office of Personnel Management OPM and other agencies. These are expected to pose the greatest danger. The purpose of this section of the CMD program is to manage network access controls, the document says. The intent is to limit unauthorized access that would allow attackers to cross internal and external network boundaries and then pivot to gain deeper network access and/or capture network resident data at rest or in transit. 5

6 SUPPORT, SIGNATURES AND POLICIES WILL MATTER A s the Department of Homeland Security s Continuous Diagnostics and Mitigation (CDM) program continues to roll out, certain factors that aren t perhaps directly associated with the program could still have a big impact on how well it s taken up, and how effective it eventually becomes. Those include executive support, attack signatures, and policy revisions. Executive support: After the 2015 revelation of the systems breach at the Office of Personnel Management (OPM) and the potential compromise of millions of government employee records, the Obama Administration launched a 30-day Cybersecurity Sprint. This was intended to force federal agencies to take actions to immediately boost security. These actions include patching critical vulnerabilities and tightening up on authentication and privileged access practices. It seemed to work. In one dramatic measure, the number of known critical vulnerabilities in federal systems dropped from 363 to just three just a few months. A big reason for that was public support from a number of senior executives, says Ken Ammon, a senior advisor with CA Technologies. Not every agency shared the same commitment to the Cybersprint, he says, but those that did had that kind of support. Problems that before would have taken months to solve ended up being dealt with in hours, says Ammon. As Stage 2 of CDM rolls out, those organizations that want to be successful with it will find they ll have to have that same level of executive backing. Beyond signatures: One major problem looming for the CDM program, that has also afflicted the DHS EINSTEIN intrusion detection/prevention program, is the available incident and intrusion detection tools have only used known attack signatures. That s useless against more stealthy attacks, such as Advanced Persistent Threats. The DHS is moving to resolve that by putting socalled reputation-based tools onto these programs. DHS said in February it is piloting reputation scoring. This will prioritize threats by their likely severity, as a part of EINSTEIN. It will also be able to identify potential new threats. That kind of capability will also be added to the tools available under the CDM program, which will eventually be integrated with EINSTEIN. The agency and federal dashboards that will be installed as part of the CDM program will also provide data that can be used for reputation scoring and emerging threat detection. Circular A-130: The Office of Management and Budget (OMB) has proposed a revision to the federal government s Circular A-130. This is the central governing document for policies affecting federal information resource management. The revision is meant to reflect changes prompted by IT that evolve faster than the last A-130 revision in One central motivation of the revision is the federal workforce managing IT must have the flexibility to address known and emerging threats while implementing continuous improvements, according to the OMB. Revision proposals include the need to implement a risk management framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems and environments of operation. Other parts of the OMB s suggested revisions, which also fit the goals of the CDM program, stress the need to focus on risk management as a central plank of government IT security. The larger goal of current government IT security improvements is to replace the bolted-on approach of the past with a more expansive and dynamic risk-oriented approach. This is also something the CDM program is intended to address. 6