The Homeland Security Department’s continuous diagnostics and mitigation (CDM) program had a quiet fall and winter, but seems to be ramping up for the spring.
DHS is ready for its second major buy of tools and sensors under the CDM program focused on managing people. At the same time, DHS also is getting industry feedback on the capabilities under phase 3 of the CDM program.
After spending about $60 million on a first set of tools under phase 1 of the initiative, DHS and the General Services Administration, which is acting as the procurement arm of the CDM program, is awaiting bids from the 17 contractors for phase 2 tools intended to monitor and manage people-based accounts and services.
DHS and GSA issued the request for quote in February and bids across the four functional areas are due March 30.
“These four capabilities will require the development and maintenance of a Master User Record (MUR) for every user deemed in-scope for CDM as well as the ability to manage attributes associated with a CDM Object,” stated the RFQ, obtained by Federal News Radio. “These four capability areas … are closely related to the Federal Identity Credential and Access Management (FICAM) program which provides architecture and implementation guidance to address Identity, Credential, and Access Management (ICAM) concerns. CDM facilitates gathering and reporting on metrics regarding critical security controls and objectives with the goal of identifying risks.”
DHS expects the winning vendors to install these tools and capabilities in 56 agencies that are required to receive them under CDM, and nine others that have the option over the 2-year contract. DHS and GSA said the tools should cost between $10.8 million and $11.6 million.
DHS, meanwhile, also issued the initial requirements for phase 3 tools around boundary and event management.
DHS stated in the March 4 draft requirements, obtained by Federal News Radio, that the goal of the tools is “to limit, prevent, and/or allow the removal of unauthorized network connections/access. Such access would allow attackers to cross internal and external network boundaries and then pivot to gain deeper network access and/or capture network resident data at rest or in transit. The Boundary Protection function … includes the use of devices such as firewalls that sit at a boundary and regulate the flow of network traffic. It also includes the use of encryption to protect traffic that must cross physical boundaries and addresses physical access systems that limit unauthorized user physical access to federal government facilities.”
DHS listed three boundary protection functions.
“Manage Network Filters and Boundary Controls (BOUND-F) network filters include devices such as firewalls and gateways that sit at the boundary between enclaves (such as a trusted internal network or subnet, and an external or internal, less-trusted network). The filters apply sets of rules and heuristics to regulate the flow of traffic between the trusted and less trusted sides,” the draft requirements stated.
DHS says “the goals of these boundary devices include limiting or denying access by unauthorized users while simultaneously allowing access by authorized users; preventing undesired software such as viruses and other malware from getting into the trusted network; preventing undesired content from getting into the trusted network; and preventing, limiting, or monitoring the exfiltration of sensitive data or applications from the trusted to the less trusted network.”
The second boundary is called E for encryption.
“BOUND-E is to provide to the agency indications of improper cryptographic behavior and/or of hardware/software misconfiguration,” DHS stated. “Cryptography must be properly implemented and configured in order to provide the desired level of protection. BOUND-E must collect policies from hardware device, software product and cryptographic implementation configuration settings, to ensure that the right implementations are being used and configured properly.”
The third boundary is P for physical access control systems.
“CDM sensors will need to evaluate actual and desired states related to BOUND-P attributes on those BOUND-P capabilities employing cryptography,” DHS stated. “Specific BOUND-P requirements are not available at this time and will be defined in a future release.”
Both of these documents — the RFQ and phase 3 requirements — continue the march toward better cybersecurity.
But what is missing from what DHS and GSA is providing in these documents is a feeling of urgency in getting these tools, sensors and capabilities installed.
It’s not that DHS isn’t doing anything to help agencies protect their networks and data. But the CDM program is considered a major advancement where as other efforts have been like turning the tourniquet a bit tighter to slow down the flow of blood from a gaping wound.
Chief information officers and vendors alike believe CDM must do more in 2016 than just put out more requirements, RFQs and plans. It’s time to install tools, sensors and capabilities to raises the level of all agency cybersecurity.