Compliance to the DHS CDM Program with Centrify

My first years out of college were spent as a Unix administrator, during which time I learned many amusing acronyms, such as sed, NAWK, and PEBCAK. One of my favorites was Yacc, which stands for Yet Another Compiler Compiler. After many years now in IT Security I’ve created my own ‘YAC’:  Yet Another Compliance. It seems there’s a new compliance mandate hiding around every corner, with most offering little in terms of new insights and existing merely to waste time and resources proving the same thing in a different way. But every now and then a promising new compliance program comes along that demands attention.

In part 1 of this 3 part blog I discussed how the Centrify Server Suite assists with compliance to NIST 800-53, and in my third blog I will map Centrify to The SANS Institute’s “Top 20 Critical Controls.” However here I’ll be discussing the new kid on the federal compliance block: The Department of Homeland Security’s CDM program.

The DHS recently created the Continuous Diagnostics and Mitigation (CDM) program in order “to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources.” CDM is part of a new “dynamic approach to fortifying the cybersecurity of government networks and systems.” What does this really mean to federal IT Security personnel? The answer is a mix of old and new.

At its core, in terms of compliance checklists, CDM is a YAC with familiar controls:  Disable guest accounts, audit everything, scan for vulnerabilities, implement Role Based Access Controls (RBAC) with a least privileged model, etc. What’s new about CDM? Mainly two aspects: Funding, and the offering of commercial off-the-shelf (COTS) products.

In terms of funding, “DHS and GSA are structuring acquisition vehicles on behalf of CDM participants. The CDM Blanket Purchase Agreement (BPA) is open to any government entity, including the Federal Civilian Executive Branch (.gov), as well as state, local, tribal, and territorial departments and agencies.” This BPA will offer COTS products that fall within one of more of CDM’s 15 functional capabilities, which have been subdivided into three phases. “The first phase of CDM focuses on endpoint integrity: management of hardware and software assets, configuration management, and vulnerability management, which are foundational capabilities to protect systems and data. Phases 2 and 3 are being further defined to include Least Privilege and Infrastructure Integrity, and Boundary Protection and Event Management, respectively. ” At the time of this writing only Phase 1 has been released for bid.

The bottom line is that federal agencies can purchase COTS products, using DHS funds, that address key functional requirements of CDM. Obviously the more requirements a solution meets the better, and the Centrify Server Suite specifically maps to many of them as shown in the table below:

DHS CDM Functional Area Centrify Server Suite Software 
FA5: Manage Network Access Controls (NAC)

  • Prevent unauthorized network connections/access; limit if not preventable; remove if established
  • Prevent attackers from exploiting internal and external network boundaries
  • Prevent attackers from pivoting to gain deeper network access

 

 

 

 

 

 

DirectControl and DirectAuthorize

  • Includes DirectManage, which is an integrated set of tools that centralize the discovery, management and user administration of UNIX, Linux and Mac systems through integration into Active Directory-based tools and processes

 

DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages AD to seamlessly block untrusted systems from communicating with trusted systems.
FA8: Manage Credentials and Authentication (MCA)

  • Prevent the binding of credentials to other than the rightful owner (person or device) by careful management of credentials
  • Prevent the use of credentials by other than the rightful owner (person or service) by careful management of credentials
  • Prevent the use of hijacked credentials to gain unauthorized control of resources, especially administrative rights
  • Ensure that account credentials are assigned to, and used by, authorized people
  • Covers credentials for both physical and logistical access
  • Rely on the results of the Manage Account Access (MAA) capability to ensure that only trusted people receive credentials

 

 

DirectControl and DirectAuthorize

  • Links all entitlements and actions to a single, definitive and centrally managed user identity in Active Directory
  • Supports smart card authentication for Mac & Linux workstations
  • Sets up authenticated and encrypted connection between Active Directory and managed systems to protect the movement of authentication, policy and audit data
  • Restricts access methods and privileges based on job role
  • Enforces least-privilege rights management by limiting users to a specific set of commands

 

DirectAudit

  • Can audit systems for occurrences of prohibited commands and configuration changes

 

 

FA9: Manage Account Access (MAA)

  • Prevent access beyond what is needed to meet business mission
  • Limit account access to prevent attackers from gaining unauthorized access to sensitive data
  • Eliminate unneeded accounts to prevent attackers from gaining unauthorized access to sensitive data
  • Assign access to computing resources based, in part, on level of trustworthiness (as determined in Functional Area 6: TRU)
DirectControl and DirectAuthorize

  • Links all entitlements and actions to a single, definitive and centrally managed user identity in Active Directory
  • Restricts access methods and privileges based on job role
  • Enforces least-privilege rights management by limiting users to a specific set of commands

 

 

F14: Manage Audit Information (AUD)

  • Prevent persistent attacks by using audit information to identify them and initiate an appropriate response
  • Mitigate weaknesses by using audit information to identify them and initiate an appropriate response
  • Address agency efforts to monitor employee behavior

 

 

 

DirectAudit

  • Captures complete session details: who accessed the system, what commands they entered, and the system output
  • Provides unique ability to replay sessions to clearly establish outcomes of user activity
  • Enables both real-time and historical monitoring of sessions, and features robust search and reporting capabilities

 

A previous sentence bears repeating: Federal agencies can purchase COTS products, using DHS funds, that address key functional requirements of CDM. Yes that’s correct: the Department of Homeland Security will purchase software for other agencies, in order to improve the overall security posture of the entire federal government. A network is only as strong as its weakest link, and we all know there are currently too many wimpy networks that need strengthening. Every agency must do its part, and Centrify will continue to do theirs.

It’s important to remember that when federal agencies purchase software solutions in order to become compliant, the software itself also needs to be compliant and certified. This is why Centrify is FIPS and Common Criteria certified, and has been fully STIG tested by DISA. Additionally the US Navy has granted Centrify an Authority to Operate (ATO) certificate, and the US Army has given Centrify a certificate of Net Worthiness. Centrify is the only vendor in the space with all of these certifications. For more details please visit www.centrify.com/federal.

In part 3 of this blog I will discuss security controls from the SANS institute, and how the Centrify Server Suite maps to many of them.

Server Suite