Fortifying the Cybersecurity of Federal Agencies With the CDM Program
By Zane Pokorny on December 13, 2018
Any organizations and agencies that are required to comply with Continuous Diagnostics and Mitigation (CDM) standards and are looking to incorporate a threat intelligence solution into their existing security program can now rely on Recorded Future — we’ve just been approved to deliver critical cyber capabilities in support of the Department of Homeland Security’s CDM program.
What Is the CDM Program?
Government networks and systems control critical infrastructure and contain sensitive data on all sorts of topics — things like the personal information of citizens, healthcare data, energy grid controls, or sensitive intelligence represent just a few. But the bureaucracies that support many of these systems are better known for their stability and administrative capacities than their ability to quickly adapt to change. This presents a stiff challenge in the rapidly evolving world of cybersecurity.
Leaning into their regulatory strengths, the U.S. government — specifically, the Department of Homeland Security (DHS), in response to a directive from the Office of Management and Budget — has created the Continuous Diagnostics and Mitigation (CDM) program to fortify the cybersecurity of federal departments and agencies. The program consists of a series of cybersecurity standards alongside approved commercial tools that meet those standards — the idea is for the CDM program to provide agencies with the capabilities and tools to monitor vulnerabilities in and threats to their network in near real-time, helping them identify and prioritize risks. Overall, the program is meant “to support technical modernization as threats change,” according to the DHS’s website.
Aspects of the CDM Program
The standards defined in the CDM program consist of fifteen tool functional areas (TFAs), developed with guidance from the National Institute of Standards and Technology (NIST), that outline the major subsections of cybersecurity topics that agencies should have the technical capabilities to enforce.
For example, here are two tool functional areas, TFA 11 and TFA 15 (the full list can be found here):
- TFA 11 — Respond to Contingencies and Incidents: The goal of this function is to prevent any repeats of previous attacks and limit the impact of ongoing attacks. Tools that meet the standards for TFA 11 should be able to appropriately respond to and end ongoing attacks, and also identify ways to prevent recurring attacks, by auditing information, performing forensic analysis within a network, and so on, providing context and enriching internal data.
- TFA 15 — Manage Operation Security: The goal of this function is to prevent attackers from exploiting vulnerabilities through the use of functional and operational control limits. This also helps managers prioritize risk and decide when to authorize systems operations or not. Tools meeting this standard should be able to provide the context that helps support leadership decisions, like by helping understand prior failures in a system and by providing accurate and relevant risk assessments.
To meet these compliance standards, an agency will install sensors in order to perform an automated search for known cyber flaws, which then feed into a dashboard that produces customized reports alerting on the most critical risks. These prioritized alerts “enable agencies to efficiently allocate resources based on the severity of the risk.” The tracked results helps the federal government get a broad overview and improve security postures across agency networks. The CDM program also approves certain “industry-leading, commercial off-the-shelf tools” that meet these TFA standards and, if possible, integrate well together.
CDM Technical Requirements and Recorded Future
The kind of automated alerting and reporting called for by CDM program standards is right in line with the threat intelligence that Recorded Future produces. Threat intelligence is an integral part of each step in a truly proactive security strategy. As such, Recorded Future is available on the CDM approved product list (APL) for the two tool functional areas mentioned previously:
- TFA 11 — Respond to Contingencies and Incidents: Recorded Future threat intelligence provides unique insights into the tactics, techniques, and procedures associated with threats. This valuable context is used to limit the impact of an existing attack through early discovery and targeted remediation. Threat intelligence is also used to develop and implement a threat prevention strategy based on known threats targeting agencies.
- TFA 15 — Manage Operation Security: Recorded Future helps agencies understand their exposure to risk based on their specific hardware and software solutions as well as their digital assets. With real-time access to vulnerabilities exploited in the wild, compromised credentials, and IP addresses, agencies can better understand where to focus resources to reduce risk and reduce unplanned downtime.
Integrations With CDM Solutions
In addition to addressing the TFAs above, Recorded Future integrates with several third-party solutions to provide a more complete solution. Examples include:
- SIEM: Integration with SIEM solutions provides valuable external threat data to find threats faster by correlating with internal network activity data. Rich context for alerts presented directly in the SIEM interface accelerates alert triage and incident response.
- Incident Response: Threat intelligence integrated into incident response systems in real time provides the necessary context to develop accurate and effective mitigation strategies.
Threat intelligence provides agencies with valuable external context and advance notice of targeted threats. This valuable intelligence drives a proactive security strategy and effective response to incidents. As part of the CDM program, Recorded Future helps government agencies meet specific requirements in CDM to respond to contingencies and incidents and manage operation security. The ability to integrate with security tools such as SIEM and incident response platforms extends the value of threat intelligence to multiple functional areas and teams within an agency’s security program.
To learn more about the ways Recorded Future can help governments protect critical infrastructure, systems, and data, check out our updated government solutions page or request a personalized demo today.