Poor agency CDM performance requires three-pronged improvements
Government agencies are working toward the fourth phase of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. Despite considerable effort, current reporting suggests that most of these agencies are still considerably off pace to meet cybersecurity goals.
As they move through the phases of compliance, agencies may improve their overall performance by creating solutions across physical, virtual and cloud environments that focus on data protection in three key areas: key management, data-at-rest encryption, and network encryption.
GAO reporting shows lackluster cyber findings
In December of 2018, the Government Accountability Office (GAO) presented a report to Congress, based on evaluations by Inspectors General (IGs) of their agencies’ information security programs. The evaluations used performance metrics for five principle security functions: identify, protect, detect, respond, and recover.
Surprisingly, nearly three-quarters of agency IGs (17 out of 23) reported that their agencies were not effectively implementing these programs. What’s more, CIOs 17 of 23 agencies also reported that they could not meet all elements of the government’s cybersecrity cross-agency goal. (This goal was aimed at improving cybersecurity through ongoing awareness of information security, vulnerabilities, and threats; and implementing technologies and processes to reduce malware risk.)
These lackluster findings came in part via DHS’s new cybersecurity risk score plan, introduced last fall as part of the CDM program. Known as Agency-Wide Adaptive Risk Enumeration (AWARE), agencies can prioritize their cybersecurity vulnerability efforts with threat data and agency dashboard data related to the existence of known vulnerabilities and the FIPS 199 information system impact level (high, moderate or low).
CDM phases and the BOUND controls
The DHS CDM program is intended to assess and mitigate cybersecurity threats across U.S. federal civilian agencies. The program consists of four phases:
- What is on the network,
- Who is on the network,
- What is happening on the network, and
- How is data protected?
Phases 1 and 2 have been completed, and Phase 3, which builds upon the previous phases with requirements for network protection, is now underway. To manage this phase, agencies require a capability to reduce inappropriate access to data, networks and systems.
This capability includes boundary controls (referred to collectively as Boundary Protection and Event Management, or “BOUND”) such as firewalls to regulate network traffic flow. It also calls for encryption to create and enforce physical and logical boundaries across the network, and is categorized into three security capabilities:
- BOUND-F: filtering technology
- BOUND-E: encryption, and
- BOUND-P: physical access controls
These BOUND requirements lay out the most effective methods to protect sensitive data-at-rest and in-motion via encryption and key management.
Phase 3 (and by extension, Phase 4) also addresses what is happening on the network and details event management requirements, and operate, monitor and improve requirements.
Agencies that are working toward compliance in both Phases 3 and 4 must, therefore, find encryption and key management solutions that provide the same levels of security across enterprise and cloud environments. Overall, a strong compliance program must incorporate three critical components: key management, data-at-rest encryption, and network encryption.
Most cryptographic controls depend on the protection of a small number of highly valuable cryptographic keys (which are used to encrypt and decrypt data). If these keys are compromised, attackers can use the keys to bypass controls and gain access to the encrypted data.
Large volumes of encrypted data generate large volumes of cryptographic keys.
Per BOUND-E requirements, government agencies are charged with protecting and managing these cryptographic keys and associated policies for their data-at-rest encryption deployments across physical, virtual, and cloud environments. These requirements can be met by deploying a key management solution that centrally manages and secures cryptographic keys throughout their lifecycle.
In order to address CDM requirements, data-at-rest encryption deployments must provide granular encryption and role-based access controls for sensitive data stored in databases, applications, files, or storage containers across physical and virtual environments. An effective data-at-rest encryption solution will centralize and streamline security administration by unifying the administration of encryption policies and keys and offering logging and auditing capabilities to track access to encrypted data and keys.
Suitable data-at-rest encryption solutions should not only support NIST- recommended AES encryption algorithms. They must also work together with key management solutions, supporting an embedded or network-attached hardware root of trust.
Data is moving across the network at unprecedented rates. Whether data is moving between data centers, from headquarters to branch offices and disaster recovery sites, or to the cloud, organizations lose control of their data the moment it is sent from one location to another. CDM BOUND-E requires agencies to use cryptography to protect data in motion. Hardware-based data encryption is the most effective way to protect data in transit because it’s the only security solution that travels with the data—across an agency’s internal network, their service providers’ network or any other external network.
For departments and agencies working through the CDM phases, it’s clear that technical solutions will require cryptography for boundary protection, access control, and the key management that is required to allow the cryptographic solution to achieve the CDM goals and objectives.
As Phase 3 is concluded and Phase 4 proceeds, civilian agencies must focus on integrating effective data protection systems into the continuous monitoring framework created by CDM. The three aspects discussed here (key management, data-at-rest encryption and network encryption) will ensure a fully operational system, with continuous improvement of agencies’ overall information security postures.
Jodi Schatz is Chief Product Officer, SafeNet Assured Technologies. She can be reached at Jodi-schatz@safenetAT.com