Save $400 on InfoSec Training at SANS New York City Summer 2018. Ends Tomorrow!

SANS Security Trend Line

Using the DHS Continuous Diagnostics and Mitigation Contract to Make Real Advances in Security

On 7 November in Washington DC, SANS held a Department of Homeland Security Continuous Diagnostics and Mitigation (DHS CDM) Award Workshop. If you are not familiar with DHS CDM, details can be found here but here is a quick summary:

The Department of Homeland Security (DHS)'s Continuous Diagnostics and Mitigation (CDM) Program has proposed three phases for consideration to be incorporated into future Information Security Continuous Monitoring (ISCM) phases. The first phase has been conceptually adopted as the ISCM Phase 1, and the DHS CDM Program is conducting further research to validate and define the subsequent two phases. The DHS CDM phases include:

phase 1 main goal: endpoint integrity, scope: local computing environment (devices), areas of focus: hardware and software asset management, configuration settings, known vulnerabilities, malware; phase 2 main goal: least privilege and infrastructure integrity, scope: local computing environment (peaople), network and infrastructure (devices), areas of focus: account and privelege management, configuration settings and ports/protocols/services for infrastructure devices; phase 3 main goal: boundary protection and event management, scope: local computing environment (events), network and infrastructure (events), enclave boundary (devices, events), areas of focus: audit and event detection/response, encryption, remote access, access control

CDN is a 5 year program budgeted at $1.2B. In September DHS awarded the first phase - but was immediately impacted by the government shutdown.

I've seen a lot of these large BPA/IDIQ contracts get announced to huge fanfare, only to end up as failures when little of the allocated funds were ever actually spent, and most of what was procured ended up as shelfware. Since the CDM program shares a lot of DNA with the Critical Security Controls, SANS believes that by helping the CDM program succeed the overall level of implementation of the Critical Security Controls at government agencies will increase - a good thing for cybersecurity.

So, the goal of the day was to give the 250 government attendees (with another 500 or so watching the Internet simulcast) the information they would need to choose the best products and services from the CDM contract.

I kicked the day off talking about focusing on securing government systems and data first, then demonstrating FISMA compliance - not the other way around.

Jane Lute of the Council on CyberSecurity led a panel discussion with Gene Dodaro, the Comptroller General and head of GAO; and John Streufert from DHS, the moving force behind the CDM effort.

We then had 4 vendor "shootout" panels for each of the major areas of Phase 1 of the CDM award:

  • Security Information/Event Management: IBM, McAfee, RSA
  • Vulnerability Assessment: Lumeta, McAfee, Qualys, Tenable, Tripwire (nCircle)
  • Endpoint Monitoring: ForeScout, IBM, Symantec, Trend Micro
  • Integrators: CSC, IBM, KCG, ManTech

Alan Paller then presented three examples of success in real organizations implementing the Critical Security Controls in general and the principles of Continuous Diagnostics and Monitoring in particular. I closed out the day with a "Call to Action" - making real reductions in vulnerabilities quickly as the most important first step in improving the level of security at Federal Government systems.

Full agenda here, and you will find a link where you can register to watch the archived webcast.

Post a Comment


* Indicates a required field.