Solving DHS Continuous Diagnostics and Mitigation (CDM) Phase 2

The Department of Homeland Security (DHS) established a $6B blanket purchase agreement (BPA) to improve the cyber defenses for federal, state, local, tribal and territorial governments. The DHS Continuous Diagnostics and Mitigation (CDM) program helps protect government IT networks from cyberthreats and enhances risk-based decision making by providing a consistent and proven set of solutions.

Centrify is the selected solution for CDM Phase 2 CRED that ensures all federal agency associates only have access to servers, applications or network resources based on their unique identity, role and responsibility within their organization. Centrify Server Suite offers a robust Active Directory bridge to consolidate identity silos, PIV authentication everywhere eliminating password authentication, separation of duties and super user privilege management to ensure individual accountability and provide granular access control, role-based access to reduce the attack surface and comprehensive session recording and auditing to greatly enhance monitoring and visibility. 

As part of the winning bid to the RFI for Phase 2, the proposed solution architecture includes three primary tool vendors to cover the Tool Functional Areas (TFA) 6-9. These vendors include SailPoint, Centrify and Radiant Logic. The following diagram provides the conceptual deployment architecture for the selected vendors.

corey-blog-1

Centrify was selected to manage and prevent the misuse of credentials and authentication across systems, servers and applications. Centrify Server Suite offers a robust Active Directory bridge to consolidate identity silos, super user privilege management to ensure individual accountability and provide granular control, role based access to reduce the attack surface and comprehensive session recording and auditing to greatly enhance monitoring and visibility. 

Centrify Server Suite addresses the primary CDM CRED requirements across a broad range of mission-critical systems, networks, devices and applications.

Active Directory for Full Span of Control

As a requirement of the Phase 2 CRED, the primary identity store for all Agencies is MS Active Directory with a full span of control encompassing accounts, networks, devices and applications.

Centrify Server Suite delivers comprehensive bridging of MacOS, Linux and UNIX systems with Active Directory. This reduces risk and streamlines operations by automating discovery of identity-related issues, eliminating redundant identity stores, and tying access controls and privileged accounts to a single, centrally managed Active Directory identity.

 PIV Authentication Everywhere

Centrify supports Homeland Security Presidential Directive 12 (HSPD-12) PIV card requirements enabling agency users’ primary credentials to be PIV-based for both system authentication (login) and authorization (privilege elevation) while preventing password-based authentication across windows, Macs, mobile devices and applications.

Privilege Elevation Management

Phase 2 CRED requires ability for a network account and credentials to be securely used and managed in dependent systems such that all authorized users only have the proper level of access necessary to perform their specific job duties. Centrify Server Suite makes it easy to implement a least-privilege model by allowing you to centrally create and consistently apply granular, role-based privileges across Windows, Linux and UNIX systems.

Separation of Duties

Centrify’s patented Zone technology ensures separation of duties while configured roles grant users exactly the right privileges and access to the right set of resources. Centrify’s tight integration with Active Directory aligns with SailPoint provisioning tools, making it simple to assign new users to a role, move users from one role to another, or disable access for users who leave.

Super User Privilege Management

Centrify eliminates the problem of too many users having too broad and unmanaged administrative power — enabling flexible, role-based assignment of privileges, enforcing granular controls not possible with native Operating System tools, and tying all privileged activity to an individual user based on their Active Directory identity and their PIV-based authentication.

Session Auditing and Recording

Mitigate insider threats and meet compliance requirements with full audit trails and session capture of privileged user activity on Windows, Linux and UNIX servers. Gain comprehensive visibility with unified access and activity reporting. Select or schedule packaged attestation reports or create your own.

The CDM Tools blanket purchase agreement (BPA) allows federal departments and agencies, state, local, regional, and tribal governments, as well as other authorized organizations to procure cyber tools, implementation services and support — without unplanned budgetary expense — that have undergone thorough technical capability reviews to ensure the products meet the functional areas of the CDM Program, and the standards required for government-wide implementation. 

Centrify’s Identity Platform addresses not only credential and authentication requirements of CDM but also additional access controls, comprehensive privileged access management, shared account password management, secure remote access and support for modern IT infrastructure including mobile, SaaS and IaaS.

 Learn more about Centrify and CDM here.