Documenting Continuous Diagnostics and Mitigation capabilities activities proves governance over security configurations.
As agencies work toward maturing their Continuous Diagnostics and Mitigation (CDM) programs, compliance documentation provides a way to assess and track progress. However, many agencies struggle because they have too many devices, users, and applications. As part of your compliance process, documenting Continuous Diagnostics and Mitigation capabilities activities becomes mission-critical.
Start with hardware asset management (HWAM)
Even if you’ve already completed an asset inventory, you want to make sure that you have the most complete, updated version. However, this is often a struggle because moving to the cloud usually means keeping track of devices that use dynamic IP addresses. As part of this, you need to make sure.
Hardware asset management (HWAM) ensures that you know all the devices connected to your networks. Unmanaged devices are often vulnerable to attacks because no one manages their software, configuration settings, or security updates. Moreover, if you don’t have a plan for managing all devices, you can’t hold anyone accountable for them.
Ultimately, starting with an inventory is the first step to either removing unmanaged machines or making someone responsible for managing risky devices.
Establish a software asset management (SWAM) plan
It would be best to have a hardware asset management inventory before you can move on to the software asset management process. Every authorized device should only be running the approved software necessary to fulfill the role it plays in your IT stack.
This is one of the problems that occur regularly associated with “Bring Your Own Device” policies and shadow IT. If your employees are bringing devices that you don’t control into your environment, they leave your networks open to unapproved applications. Additionally, if you fail to manage your own devices appropriately, your employees can add new software to those devices and place you at risk.
As part of your software asset management process, you want to make sure that you:
- Balance automated and manual software installation
- Decide whether to use a central console for installing software or use distributed locations
- Choose whether a general device manager or subject matter expert will be responsible
Create configuration settings management (CSM) process
The ultimate goal of creating your hardware and software inventories is to establish a configuration setting management process to prevent malicious actors from exploiting unsecure configurations.
When you set up your configuration settings process, you want to make sure that you:
- Assign ownership over setting configurations
- Authorize settings
- Timeframes for maintenance
Generally, the configurations are listed in checklists, which can either be Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) or Center for Internet Security (CIS) Benchmarks.
As part of creating processes, you should set the desired state by analyzing system requirements for each device role across your IT stack. You set these baselines as standard requirements across the organization then make sure that any changes or deviations must be approved as part of your change management processes.
Once you decide on what you consider your “desired state,” you need to figure out your “actual state.” You can do this by reviewing the configurations of devices and software on your network, then comparing that to the authoritative configurations. Any difference between these indicates a potentially vulnerable asset.