My first years out of college were spent as a Unix administrator, during which time I learned many amusing acronyms, such as sed, NAWK, and PEBCAK. One of my favorites was Yacc, which stands for Yet Another Compiler Compiler. After many years now in IT Security I’ve created my own ‘YAC’: Yet Another Compliance. It seems there’s a new compliance mandate hiding around every corner, with most offering little in terms of new insights and existing merely to waste time and resources proving the same thing in a different way. But every now and then a promising new compliance program comes along that demands attention.
In part 1 of this 3 part blog I discussed how the Centrify Server Suite assists with compliance to NIST 800-53, and in my third blog I will map Centrify to The SANS Institute’s “Top 20 Critical Controls.” However here I’ll be discussing the new kid on the federal compliance block: The Department of Homeland Security’s CDM program.
The DHS recently created the Continuous Diagnostics and Mitigation (CDM) program in order “to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources.” CDM is part of a new “dynamic approach to fortifying the cybersecurity of government networks and systems.” What does this really mean to federal IT Security personnel? The answer is a mix of old and new.
At its core, in terms of compliance checklists, CDM is a YAC with familiar controls: Disable guest accounts, audit everything, scan for vulnerabilities, implement Role Based Access Controls (RBAC) with a least privileged model, etc. What’s new about CDM? Mainly two aspects: Funding, and the offering of commercial off-the-shelf (COTS) products.
In terms of funding, “DHS and GSA are structuring acquisition vehicles on behalf of CDM participants. The CDM Blanket Purchase Agreement (BPA) is open to any government entity, including the Federal Civilian Executive Branch (.gov), as well as state, local, tribal, and territorial departments and agencies.” This BPA will offer COTS products that fall within one of more of CDM’s 15 functional capabilities, which have been subdivided into three phases. “The first phase of CDM focuses on endpoint integrity: management of hardware and software assets, configuration management, and vulnerability management, which are foundational capabilities to protect systems and data. Phases 2 and 3 are being further defined to include Least Privilege and Infrastructure Integrity, and Boundary Protection and Event Management, respectively. ” At the time of this writing only Phase 1 has been released for bid.
The bottom line is that federal agencies can purchase COTS products, using DHS funds, that address key functional requirements of CDM. Obviously the more requirements a solution meets the better, and the Centrify Server Suite specifically maps to many of them as shown in the table below:
|DHS CDM Functional Area||Centrify Server Suite Software|
|FA5: Manage Network Access Controls (NAC)
|DirectControl and DirectAuthorize
|FA8: Manage Credentials and Authentication (MCA)
|DirectControl and DirectAuthorize
|FA9: Manage Account Access (MAA)
||DirectControl and DirectAuthorize
|F14: Manage Audit Information (AUD)
A previous sentence bears repeating: Federal agencies can purchase COTS products, using DHS funds, that address key functional requirements of CDM. Yes that’s correct: the Department of Homeland Security will purchase software for other agencies, in order to improve the overall security posture of the entire federal government. A network is only as strong as its weakest link, and we all know there are currently too many wimpy networks that need strengthening. Every agency must do its part, and Centrify will continue to do theirs.
It’s important to remember that when federal agencies purchase software solutions in order to become compliant, the software itself also needs to be compliant and certified. This is why Centrify is FIPS and Common Criteria certified, and has been fully STIG tested by DISA. Additionally the US Navy has granted Centrify an Authority to Operate (ATO) certificate, and the US Army has given Centrify a certificate of Net Worthiness. Centrify is the only vendor in the space with all of these certifications. For more details please visit www.centrify.com/federal.
In part 3 of this blog I will discuss security controls from the SANS institute, and how the Centrify Server Suite maps to many of them.