OMB’s new identity management policy brings CDM more to the forefront

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

When the Office of Management and Budget released the final policy earlier this month updating many of the requirements for identity and access management, the continuous diagnostics and mitigation (CDM) program figured heavily.

Through CDM, agencies will shift their defenses from the system to end point or edge of the network. That’s where knowing who is trying to get on the network matters the most.

Kevin Cox, the program manager of the CDM program at the Homeland Security Department, said over the last few years, the initiative sought to help all agencies understand four basic things related to identity and access management:

  • Who are all the credentialed users on the network?
  • Who are all the privileged users on the network?
  • What level of training did those users have?
  • What data and systems did those users have access to?

“We were working to make sure agencies had those basic levels of understanding in those important areas. What we realized as we were doing the work with identity and access management, agencies had a need for broader support in identity and access management. They had a need for broader capabilities with lifecycle so as a user comes on what do they have access to as their job changes, what are those changes around their access and when they leave, are we sure they have been removed from the systems. So we are starting to broaden out our offerings to the agencies from a lifecycle standpoint,” Cox said after a speech at the CDM Summit sponsored by FCW in Washington, D.C. “We’ve also taken a look at the federal ICAM requirements to see where CDM can help support the agencies meeting those requirements. CDM will not be positioned to meet all of those requirements, but where appropriate we are working with the federal ICAM team as well as the agencies to help potentially bring CDM services to meet these requirements that agencies have needed to meet for a number of years.”

Kevin Cox is the continuous diagnostics and mitigation (CDM) program manager at DHS.

A big part of the next focus area of CDM is trying to bring solutions around the problem of data and system access control.

The identity access and credential management policy mentions CDM six times in the 13 page document, around things like aligning the federal ICAM architecture with the program or using the cybersecurity initiative to accelerate the procurement and deployment of ICAM tools and capabilities.

“Each agency shall define and maintain a single comprehensive ICAM policy, process and technology solution roadmap, consistent with agency authorities and operational mission needs,” the memo states. “These items should encompass the agency’s entire enterprise, align with the governmentwide federal identity, credential and access management (FICAM) architecture and CDM requirements, incorporate applicable federal policies, standards, playbooks and guidelines, and include roles and responsibilities for all users.”

Continued move to zero trust

It took more than a year to go from draft to final policy and during that time, with the emergence of concepts like zero trust, the integration of CDM and identity and access management became more important.

“The OMB memo reflects the agency’s recognition that the federal government, just as the private sector, is moving towards an increasingly perimeter-less IT environment,” said Sean Frazier, advisory chief information security officer for federal at Duo Security, which is now part of Cisco, in a release. “To meet this shift, the OMB correctly prescribes that a strong identity, credential and access management system makes up the heart of the zero-trust security methodology, and has further laid the foundation for agencies to accelerate adoption of this approach. The policy issuance, in keeping with the spirit of NIST 800-63-3, also highlights the necessity to adopt a risk-based approach to identity security much like other parts of the cybersecurity equation.”

Cox said he didn’t see too much new in the memo related to CDM and identity management, except for positioning the program more prominently in the ICAM space.

At the same time, it’s important to highlight CDM in the ICAM memo as DHS will be leading one of the new quality service management offices (QSMOs) around cybersecurity that includes digital identity and access management as well as mobile security services and a host of other capabilities as shared services.

Along with ICAM, Cox said CDM continues to evolve. It awarded a new contract for the governmentwide CDM dashboard to ECS Federal late last week, according to a report in FCW.

The new CDM dashboard contract focuses on three capabilities, including collecting data from agency dashboards and providing some initial risk scoring capabilities, Cox said at the conference.

Cox said it’s the third set of capabilities that are most exciting about the new dashboard and the ecosystem it will create.

“We will be focusing on the data integration layer where all this data is coming up from the sensors. We want to bring the most innovative, cutting edge tools to get the greatest value for the agencies from the data,” he said at the conference. “We are not going to be bringing in a single product, but looking at other products on the market that really will help with the presentation of the data so agencies can quickly see the value and the various relationships in the data.”

New shared services RFP coming

The third objective also includes capabilities to increase the role of automation around authorizations of systems and around incident reporting back to DHS, and integration with the National Cybersecurity Protection System, including the Einstein program, and the national cybersecurity assessments and technical services (NCATS) team that scans the federal boundaries.

“We want to bring all that data together so we are providing more value to the agencies to really understand what their environments look like,” Cox said.

Later this summer, Cox said DHS and GSA will be releasing a solicitation for the next-generation cybersecurity shared services for small and micro-agencies.

“Just like the other DEFEND orders, we want to make sure that we are not only supporting the small and micro agencies on asset management and identity and access management, but give them the availability to help with network security management and for the high value assets in these environments, make sure we can get the ability to protect them in these environments as well,” he said. “We also want to make sure we have full protections around that shared services environment. Right now we are in a moderate cloud. We are looking to take that up to a high baseline in the cloud, and make sure we have full security operations protections on that environment like continually monitoring and other features.”

So far, 20 small and micro agencies are using the CDM shared services environment where they have sensors in place to feed the governmentwide dashboard. Cox said 17 more agencies are coming on board in 2019, leaving 38 small and micro agencies left. He said DHS still is working to get memorandums of agreements and interconnection agreements in place.

DHS also has kicked off a series of pilots, including enhancing one agency’s security operations center and adding more visibility around advanced threats.

Another pilot is focused on high-value assets, using data loss prevention technologies.

And a third pilot is under consideration with an agency to apply advance threat capabilities down at host or end-point level.

“We are starting small, getting lessons learned from the tools we are deploying and processes we are deploying so we know how well we can expand them out to other HVAs or if we shift gears and go in a  different direction,” Cox said. “There are hundreds of HVAs across the federal government so what we are looking at in 2020 and beyond is which agencies, which HVA system owners are ready. Then getting some successes and then being able to broaden out from there. The other thing we are looking at is each of these HVA environment will be slightly different. Some will be legacy systems that might require larger architecture changes, micro-segmentation and we may even consider a zero trust environment so it really depends on the size of the work and what we prioritize to really start in on in 2020 and beyond.”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.