Keeping agency data safe is one of the highest priorities for every federal IT pro. One particular concern is the secure transmission of data from an ever-expanding list of endpoints to the cloud.
The Continuous Diagnostics and Mitigation (CDM) Program, issued by the Department of Homeland Security (DHS), goes a long way toward helping agencies identify and prioritize risks and secure vulnerable endpoints. Yet, breaches continue.
How can a federal IT pro more effectively improve an agency’s endpoint and data security? The answer is multi-fold. First, incorporate the guidance provided by CDM into your cybersecurity strategy. Secondly, and in addition to CDM—develop a data protection strategy for an Internet of Things (IoT) world.
Discovery through CDM
According to Cybersecurity and Infrastructure Security Agency (CISA), the DHS sub-agency that has released CDM, the program “provides … Federal Agencies with capabilities and tools to identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
CDM takes federal IT pros through four phases of discovery:
- What is on the network? Here, federal IT pros discover devices, software, security configuration settings, and software vulnerabilities.
- Who is on the network? Here, the goal is to discover and manage account access and privileges; trust determination for users granted access; credentials and authentication; and security-related behavioral training.
- What is happening on the network? This phase discovers network and perimeter components; host and device components; data at rest and in transit; and user behavior and activities.
- How is data protected? The goal of this phase is to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.
From a bigger picture perspective, CDM helps agencies enhance network security through automation: automated control testing and progress tracking. And, CDM fulfills agency Federal Information Security Management Act (FISMA) requirements.
Enhanced data protection
CDM is only one piece of the puzzle of enhancing endpoint security to ensure secure data transmission. Federal IT pros can dramatically improve security—and get more sound sleep—by implementing strategies that directly tackle the challenges of an IoT world once CDM is already in place.
There is a lot of information available about IoT-based environments and how best to secure that type of infrastructure. In fact, there is so much information it can be overwhelming. The best course of action is to stick to three basic concepts that will lay the groundwork for future improvements.
First, make sure security is built in from the start as opposed to making security an afterthought or an add-on. Specifically, security must be interwoven into the fabric of agency networks.
This starts with planning: Consider every possible breach scenario, identify potential threats before they occur, and have a plan ready detailing how the team will respond to emergencies. Part of this pre-emptive step should include the deployment of automated tools that scan for and alert staffers to threats as they occur. This type of round-the-clock monitoring and real-time notifications help the team react more quickly to potential threats and more effectively mitigate damage.
Next, make sure to assess every application for potential security risks. There are a seemingly inordinate number of external applications that track and collect data. It requires particular vigilance to ensure these applications are safe before they’re connected, rather than finding vulnerabilities after the fact.
If the agency is building its own applications, build in security throughout the application development process. Federal IT pros can take this one step further by creating a list of approved applications and using monitoring tools to alert whenever an unauthorized application requests network access.
Finally, make sure to assess every device—in addition to every application—for potential security risks. In an IoT world there is a whole new realm of non-standard devices and tools trying to connect. Make sure every device meets security standards; do not allow untested or non-essential devices to connect. And, to be extra sure agency data is safe, set up a system to track devices by MAC and IP address, and monitor the ports and switches those devices use.
Security is not getting any easier. That said, there are an increasing number of steps federal IT pros can take to enhance an agency’s security posture and better protect agency data. Follow CDM guidelines, prepare for a wave of IoT devices, and get a good night’s sleep.