Phase 3 of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program promises to be a significant departure from the first two phases.
Phase 1 and Phase 2 focused on raising the baseline for security in the federal government. Agencies were required to tell what is on their network (Phase 1) and who is on their network (Phase 2). While these are important steps to set a baseline, it did not provide agencies much flexibility in terms of how they executed the requirements.
That all changes in Phase 3. This phase looks at the overall network – from on-premise to the cloud – with an eye towards discerning what is actually happening on that network. This phase provides federal agencies with some flexibility to make technology decisions that can make a lasting impact. With a large amount of latitude in terms of how to implement security improvements, those agencies that simply look to check the compliance box will be missing out on a huge opportunity.
Compliance in CDM Phase 3 does not equal enhanced security. It is a baseline that, if met, will allow agencies to move forward with the next step of the program, but does not fully provide the level of security federal agencies ultimately need. So, as agencies look to fulfill the requirements set forth in Phase 3, there are key areas where they can invest to offer both the compliance and a significantly more advanced security posture.
Filling Capability Gaps
Phase 3 directs agencies to understand what is happening on their network. This, in itself, has been a difficult task in the past, not only for federal agencies but across all sectors. Nefarious actors pride themselves on finding areas of low visibility on networks and later exploit them to steal data. This has become even more prevalent with the advent of the cloud and the elimination of the traditional network “boundary.”
Agencies should use the Phase 3 baseline as just that…a baseline. The opportunity for agencies is to fill the gap between what is outlined in the program and what they can implement to actually lock-down the network with current technologies, providing more capability and less overhead than what is considered compliant under Phase 3.
First and foremost, agencies should consider disappearing network boundaries. Cloud computing has changed the boundaries federal technology leaders have become accustomed to. Historically, the boundary was the physical agency itself, or in some cases, a single remote office. Now the boundary extends to anywhere an employee can access data through a secure (or unsecure, for that matter) connection.
As a result, agencies now need to look at the boundary as being where the data resides, and need to consider enterprise-wide security solutions that protect the data layer. As data leaves an agency’s traditional boundary, it is essential to identify where it is travelling, while enabling advanced protections. This capability is important to:
- Control who can access data, even from unmanaged locations or devices
- Define what level of access a user has using digital rights management technology
- Monitor user access to data to identify anomalies, unusual or risky behaviors or security compromise
- Revoke access to users as necessary, effectively digitally shredding a document
Agencies will also want to look into other security protocols that can protect the data in the cloud. Offerings, like cloud access security brokers, provide visibility into shadow IT, governance over data in cloud apps, as well as protection against threats targeting cloud accounts. Incorporating mobile security features, including secure endpoints, along with future-looking capabilities like advanced threat protection and incident response features that can quickly mitigate risks before they happen should round out this enterprise security approach.
Benefiting from Phase 3
CDM has done a tremendous job moving agency security standards forward. Combined with IT modernization efforts, the federal government is taking major strides to improve overall cyber security within agencies, looking at the inherent flaws in current systems and creating a plan to fix them.
CDM Phase 3 should not just be seen as another list of compliance benchmarks to check off, but an opportunity to greatly improve the government’s cyber security posture. While the baselines themselves will not make agencies fully secure, forward-thinking agencies can use CDM Phase 3 as an opportunity to modernize, enhance and deliver systems that truly protect data, meeting and exceeding the expectations of the program.