to the DHS. Last year, the department awarded contracts
to 17 prime technology and defense contractors to provide
CDM tools and services for incorporation into requests for
quote, or RFQ, solicitations that were released to the Continuous Monitoring as a Service (CMaaS) blanket purchase
agreement (BPA) holders.
First, agencies had to get a firm hold on the inventoried
assets. “In order to manage and improve anything, you have
to be able to measure it,” Ammon offers. “What we found as
a disturbing fact over the last 10 years is that if you were to
ask most organizations ... if they had a definitive inventory
of their [information technology] assets, the answer almost
universally was no. We couldn’t even report what systems
and IT infrastructure was in place, let alone try to measure
whether it was up to a level of security.
“The thought behind CDM first off was to grab hold of
this issue, this challenge of asset management, and try to put
a standard in place in which everyone could at least have
a degree of confidence in stating ‘here is my inventory of
[information technology] assets,’” Ammon concludes.
Now officials have embarked on phase two, dedicated
to assessing identity management—in other words, know-
ing who the users are, where they access the network and
what privileges they have. “Security ... as it relates to CDM,
The more privileges bestowed upon an employee, the
more inspection their credential requires, Christman says.
“We look at insider threat as a function of identity manage-
ment. We just look at privileged users and elevated access of
superusers as just a different kind of identity that needs to be
managed a little more closely with a little bit more scrutiny.
For the privileged user, in return for your unusual access,
you’re going to have to sacrifice a little bit of anonymity, sac-
rifice a little bit of autonomy.”
To operate in the age of computers, agencies began grant-
ing privileges and elevated privileges to their employees, often
failing to alter or revoke them when employees either left the
agency or moved on to other positions. Additionally, employ-
ees could maintain those privileges no matter what job they
performed, whether checking their email or reconfiguring a
server. “And that problem of having too many privileges on an
IS YOUR ENTERPRISE
The United States loses $100
billion annually as a result of
cyber crime, which targets over
500 million victims per year.
Every 10 minutes a known
malware is being downloaded
Every 30 minutes an unknown
malware is being downloaded
Find Zero-Day unknown vulner-
abilities and quickly assess the
security posture of your critical
infrastructure with Spirent security
solutions. Contact us today.
Protect your organization with
US Government & Defense
801 785 1448