CDM: Making US Federal Agencies More AWARE of Cyber Exposure

At a recent Tenable sponsored MeriTalk event, Kevin Cox, program manager for Continuous Diagnostics and Mitigation (CDM), provided a preview of coming attractions regarding the CDM federal dashboard. As of this writing, the CDM dashboard is in its initial production stage, with agency exchanges being set up to aggregate the data to be fed into the dashboard. At least five agencies are reportedly on track to have data uploaded to the CDM dashboard during the first quarter of 2018.

Agency-Wide Adaptive Risk Enumeration (AWARE): New scoring algorithm for cyber hygiene

Looking ahead, Cox announced that Release 5 of the CDM dashboard, due out in the spring, will introduce a new scoring algorithm that provides a single-number summary of each federal agency’s “cyber hygiene” status. This new algorithm, which will be known as Agency-Wide Adaptive Risk Enumeration (AWARE), is an evolving concept intended to drive CDM toward the goal of improving the way the government measures its cyber risk – that is, the degree to which known vulnerabilities continue to provide an unprotected attack surface for potential adversaries. AWARE will provide a raw risk score, which gives an agency, at a glance, a rough idea of its overall cyber risk. Cox stressed that it was only a starting point toward achieving and maintaining good basic cyber hygiene. Plans call for AWARE to continue to be refined in subsequent releases, increasingly taking mitigation and other relevant factors into account. This initial release represents an important step toward the overarching goal of sharpening the federal focus on performing basic cyber hygiene.

Sometimes referred to as the “blocking and tackling” of cybersecurity, basic cyber hygiene includes foundational tasks essential to securing any environment, such as making sure that software, applications and operating systems are promptly and regularly updated with their most recent versions. The first step in achieving this goal is to identify all devices on the network – physical, virtual and transient. Once identified, devices are then scanned to assess known vulnerabilities. The Department of Homeland Security has set the goal for every government agency to perform these scans at least every 72 hours.

Once a vulnerability is identified, remediation is prioritized by the agency. Patching operational systems is disruptive. Without a rigorous patch management program, however, greater delays and more serious disruptions may result from exploits of these vulnerabilities. The recent Equifax breach provides an example of the potentially devastating impact of delayed patching. That massive data exfiltration was made possible because Equifax had not patched a known vulnerability, Apache Struts CVE-2017-5638, even though that patch had been available for two months prior to the breach.

CDM AWARE and Cyber Exposure: The path to strategic decision-making

The CDM AWARE initiative is an important effort to measure cyber risk in a meaningful way, which will become increasingly difficult – and important – as modern assets, such as cloud infrastructure, mobile devices and OT and IoT devices, make their way into the network environment. Delivering meaningful risk measurement in the modern IT environment is a cornerstone of an emerging concept known as Cyber Exposure. Building on vulnerability management through assessment of network assets and activity, Cyber Exposure provides strategic insight with an objective way to measure and compare cyber risk across the components of an organization or, in the case of CDM, the agencies and departments of the U.S. federal government.

Cyber Exposure, like CDM, happens in distinct stages:

  • Perform live discovery and vulnerability assessment that encompasses all traditional and modern assets to provide the visibility needed to determine what assets are on the network and to what extent they are secure and exposed.
  • Once this information has been collected, map it to the organization’s mission to help determine what’s important, including the asset’s use and criticality.
  • Enrich using other data sources, including whether the vulnerability is currently being exploited.
  • Prioritize scarce resources and efforts to mitigate those vulnerabilities that most directly affect the mission.
  • Perhaps most importantly, leverage the Cyber Exposure data to drive strategic discussions and investment decisions based on quantifying risks in the context of the organization and its missions.

At a high level, Cyber Exposure is analogous to IT Service Management (ITSM). Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and process for managing and measuring cyber risk against the modern attack surface. Quantifying Cyber Exposure in operational terms helps drive more productive and actionable discussion with an organization’s senior leadership. In adopting the AWARE algorithm, the CDM program is making a meaningful security move that introduces the U.S. federal government to the use of Cyber Exposure data as a key risk metric to be considered in future strategic decision-making.

Want to learn more?

For more insight into Cyber Exposure, visit:

To learn more about how Tenable, and its flagship CDM platform, SecurityCenter Continuous View, can help your agency improve its security posture, visit:

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Chris Jensen. Read the original post at: