by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : March 2015
YOU DON’T GET many do- overs in life, but if you did – like Bill Murray in the movie Groundhog Day – what might you revisit? While I can’t promise a life-changing re- play, here’s food for thought as it relates to the Home- land Security Department’s Continuous Diagnostics and Mitigation Program (CDM). The program, begun in 2013, was divided into three implementation phases, with the next Phase 2 devoted to various identity and access management services. So, as we round the quarter rail with CDM, agencies may want to consider how Phase I unfolded and what they can do differently or better in preparing for Phase 2. When we look back to 2013, there were valuable les- sons learned as Phase 1 began with a requirements defini- tion process. At the time, agencies were asked to assess their capabilities and identify deficiencies or gaps that the Department of Homeland Security could then help them fill through its CDM/Continu- ous Monitoring as a Service (CMaaS) blanket purchase agreement. But back then perhaps the concepts of CDM weren’t as clearly understood as they are now. Or maybe assessments weren’t conducted agency- wide or weren’t performed by those with the right skillsets. In fact, a 2014 survey by the SANS Institute found that only 21 percent of govern- ment-focused IT profession- als had conducted a formal foundational assessment before starting the program. Considering you can only improve security by knowing your baseline and where the holes are, this indicates that many groups may need to go back and conduct additional preparation work prior to starting Phase 2. Soon it will be déjà vu all over again, requiring an as- sessment process be repeated for Phase 2. This time, the assessment will be for a set of requirements that include: management of network ac- cess controls, people granted access, security-related behavior, credentials and authentication. To help agencies ensure their Phase 2 needs are thoroughly and accurately identified, here are four key recommendations: Get the right people involved. The process of determining whether Phase 2 requirements are being met should include all those with a relevant perspective on agencywide business needs. Rather than being performed by just one person or limited to one component, it should involve IT opera- tions, affected business units, security compliance, legal, human resources and privacy specialists. Address the non-techni- cal. When evaluating Phase 2 requirements, review your agency’s personnel and the skills they’ll need to deploy and operate CDM tools, along with any training that will be required. Personnel processes that need to change should also be reflected in the policies and procedures that support them. Use what works. Look for pockets of excellence that can be leveraged, and identify gaps that can be closed in- house. For example, there may be an identity manage- ment solution that’s work- ing well elsewhere within the agency that can be used enterprisewide, eliminating the need to procure a dupli- cate. By evaluating the tools or products it already owns, an agency may also uncover capabilities that simply aren’t being used. It may be just a matter of activating or licens- ing additional features or modules, without deploying an entirely new solution that would demand more funding or retraining. Continue to evaluate gaps. Considering that change is a constant, other gaps may arise and their pri- ority may shift. Just because the initial task of identify- ing Phase 2 gaps has been successful does not mean the work is done. Ongoing risk management means bringing a CDM strategy to life, not just dusting it off once a year for the Inspector General. Performing a proper foun- dational assessment is not only the best way to avoid the déjà vu of previous mistakes, it’s also the essential first step for improving security through CDM. While the CDM program offers great promise and ben- efits, there will be challenges along the way. But there’s no need to go it alone. Agencies without the necessary exper- tise or resources can rely on the CDM/CMaaS program for help. The BPA holders select- ed by DHS are experienced in assessing Phase 1 and Phase 2 requirements, recommend- ing mitigation strategies and implementing capabilities. • — Patrick D. Howard is pro- gram manager for CDM and CMaaS for Kratos SecureInfo. Performing a foundational assessment is not only the best way to avoid the déjà vu of previous mistakes, it’s also the essential first step for improving security through CDM. JUNIT BY PATRICK D. HOWARD INDUSTRY INSIGHT CDM phase 2: how to avoid déjà vu all over again GCN MARCH 2015 • GCN.COM 19 0315gcn_019.indd 19 3/2/15 12:52 PM