Phase 2 and 3 processes and practices are more critical than ever when addressing the 3 Challenges with Continuous Diagnostics and Mitigation
With the Continuous Diagnostics and Mitigation (CDM) program now in its ninth year, federal agencies now move towards their next iteration of compliance. Looking at CDM as a whole, Phase 2 and 3 processes and practices are more critical than ever. With the rapid move to telework in 2020, agencies need to ensure that they need to focus on who is on their network and what’s happening on their network. As agencies mature their security posture, they find themselves facing three challenges when complying with the Continuous Diagnostics and Mitigation strategies.
Challenge 1: Cloud Adoption
Moving to the cloud is more difficult for federal agencies than for commercial organizations. The sensitive data that agencies manage includes
- Constituent nonpublic information, like names, social security numbers, and birth dates
- Federal contract information (FCI)
- Controlled unclassified information (CUI)
- Classified information
Under both Cloud First and Cloud Smart mandates, agencies began migrating some operations to the cloud. However, the need to continue using rigid, legacy IT led to a piecemeal approach. Agencies adopted technologies that worked for where they were at the time, not always where they needed to be.
This diversified IT stack reduces visibility, making it more difficult for agencies to manage data security. Monitoring for who and what is on the network becomes challenging. It also makes tracking the route of access challenging. With so many applications and access points, maintaining security benchmarks drains resources.
Challenge 2: Identifying Hardware and Maintaining Secure Configurations
In August 2020, the US Government Accountability Office (GAO) reviewed agencies’ continuous monitoring activities by selecting three agencies that reported acquisition of the CDM tools. The report noted:
- None had effectively implemented all essential CDM program requirements.
- None had fully implemented requirements for managing hardware.
- Contractors installing tools failed to provide unique identifiers consistently.
- Agencies lacked consistency in comparing network configuration settings to federal benchmarks.
The agencies cited lack of resources as one of the reasons for these inconsistencies. Many agencies face the same problem. They find themselves confined by rigid technology debt and an inability to compete for cybersecurity staff adequately.
Challenge 3: Compliance
Finally, agencies struggle to maintain complete and accurate audit documentation across these distributed, disconnected, divergent IT stacks, . The problem for many agencies is the C for “continuous” in CDM. Instead of periodic, point-in-time audits, CDM requires organizations to evaluate their security.
Agencies need to respond whenever new risks, like common vulnerabilities and exploits (CVEs), arise. Installing security updates across the network and decentralized endpoints becomes a challenge. Moreover, documenting activities and low-level technical configuration updates only adds to the struggle. Often, agencies manage audit documentation manually, leaving room for human error and increasing cybersecurity risk.
SteelCloud: Automation That Ensures the “C” in CDM
SteelCloud’s patented ConfigOS automation enables agencies to scan complex environments and enforce low-level security configurations in under an hour. Our technology offers a secure storage location for all security configuration documentation so that agencies can streamline their audit processes and reduce human error risks.
Moreover, agencies can set up ConfigOS and train employees in one workday. Our easy-to-use interface empowers junior IT staff to manage, remediate, and update security control configurations. For agencies that find themselves unable to hire enough cybersecurity staff, SteelCloud provides a solution to the problem.