A common thread running through all federal agencies is the need to continuously validate and improve their security posture and prove their compliance year-round. Cyberattacks are more frequent and sophisticated. At the same time, the attack surface is expanding as organizations extend their networks out to cloud and mobile-enabled environments. As a result, federal managers recognize they must move away from point in time monitoring toward a more continuous approach to help identify and fix critical weaknesses in cyber defenses as they occur.
Many government agencies have multiple tool sets from a variety of vendors that are not seamlessly integrated, adding more complexity to their environments. The integrations of these technologies can become difficult without the right approach. Continuous compliance does not have to be challenging. By integrating the right technologies, technologies that federal agencies already have, building a network that is compliant with the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program and the Department of Defense’s Comply to Connect program is possible.
Aligning with CDM
DHS brings multiple government-compliant frameworks and strategies together via the CDM program, which is not only focused on identifying risk, but also mitigating or responding to the most significant problems first.
The CDM Program is organized into four phases in the form of questions:
- PHASE 1: What is on the network?
- PHASE 2: Who is on the network?
- PHASE 3: What is happening on the network?
- PHASE 4: How is data protected?
Agencies need a formidable continuous compliance framework that fits in line with CDM to ensure end users have the proper access to the environments they need to meet their mission requirements. However, buying security tools at each phase greatly increases complexity.
To reduce complexity, agencies should focus on two steps that tie into the four phases of CDM, which also directly relates to the DoD’s Comply to Connect initiative:
- User, Network and Endpoint Validation: The questions being asked are whether the user has the appropriate authorization to access the network and whether the network and endpoint devices being utilized comply based on several regulations, such as Defense Information Systems Agency Security Technical Implementation Guides (STIG).
- Endpoint Visibility and Remediation: This step leverages visibility to understand the immediate state of the endpoint and attempts to remediate the endpoint if it is not in compliance. If several remediation actions are unsuccessful, the endpoint must be quarantined. Additionally, it is imperative to have real-time visibility of users, their activities and endpoints to ensure a continuous state of compliance. Should the user or endpoint fall out of compliance, remediation actions will take effect.
Building an integrated solution
To build an integrated solution for continuous compliance that is robust enough to allow for operational growth in an enterprise network, federal agencies should simplify their approach where possible. The following are focus areas to start:
- Network Admission Control: IT and security operations teams should be able to control access by verifying users and devices and the level of access they should have before network access is granted. The network access control tools should include industry leading protocols to help ensure the right connections are granted in the most expedient manner. Government networks are significantly large, so having a technology that can support hundreds of thousands of users connecting simultaneously is critical. These mission systems must be available all the times.
- Systems Management: Another component is a modular endpoint security and management platform that provides lightning fast ability to see and execute actions across every managed device, regardless of the infrastructure size and complexity. By providing full system access and the flexibility to take any action, the technology can make changes on endpoints with speed and scale. This technology should include Security Orchestration, Automation and Response (SOAR), but if not, SOAR should be added as a separate capability.
- Endpoint Protection: An integrated software solution that extends beyond traditional antivirus (AV) solutions and provides next generation AV protection, vulnerability scanning, configuration checks and reporting should also be leveraged. These solutions should have threat intelligence feeds, utilize machine learning and provide other capabilities such as user-behavior analytics.
- Data Analysis & Visualization: Building a continuous compliance solution requires the ability to correlate and analyze large datasets. Furthermore, it requires the ability to concisely and accurately display information for leadership and operators to make informed and timely decisions. Paring this data with a security information and event management system (SIEM), the time to detection of an attack can be significantly reduced, allowing for automated responses through the management platform.
The Bottom Line
The bottom line is CDM or Comply to Connect does not have to be challenging; agencies can integrate the right technologies and build a CDM/C2C-compliant network starting with the technologies they already have. Additional technologies can be integrated to round out the entire security architecture. As technology rapidly changes and cyberattacks proliferate, agencies need to consider an integrated continuous compliance approach that is robust enough to evolve over time and allow for operational growth in an enterprise network.
Tim Robinson is practice manager, public sector security, at IT and digital transformation service provider World Wide Technology.