The explosive use of mobile technologies by citizens and an increasingly mobile Federal workforce is driving the need for greater visibility and security in mobile environments. As a result, the government is looking to continuous diagnostic and mitigation solutions working in conjunction with mobile device management (MDM) solutions to give agencies better awareness into mobile application and devices.
The Department of Homeland Security’s program for Continuous Diagnostics and Mitigation (CDM) is constantly evolving to meet the cybersecurity needs of Federal agencies. As the CDM program moves to the next stage–Phase 3, which is called DEFEND and focuses on what is happening on an agency’s network and how it is protected–agencies will address emerging mobile security needs through DEFEND Request for Service task orders.
The CDM Program Office envisions that awardees will first ensure their MDM solutions meet or exceed CDM-compliant security benchmarks, according to Chris Jensen, Federal Business Development and Capture Manager with Tenable Networks, a provider of cybersecurity solutions to enterprises and government agencies.
“Once that is accomplished, DHS, through the CDM DEFEND Request for Service (RFS) process, will partner to integrate Federal agency mobile security solutions into the overall CDM scheme. The MDM data will eventually flow up to the CDM Agency Dashboard, providing a more complete picture of the agency’s security posture by including the ever-growing number of mobile devices,” Jensen recently wrote in a blog.
Mobile device management has evolved as people use laptops and smartphones to work, and their need to access information at any time, any place. Initially, MDM solutions focused mainly on devices rather than applications. MDM solutions are now evolving into enterprise mobility management (EMM), which consists of suites of policy and configuration management tools that perform core functions such as hardware and application inventory, operating system configuration management, mobile application deployment, updating, and removal, to name a few.
CDM tools keep agency information technology and cyber teams aware of network changes by giving them a view of what is on their network, who is on their network, and what is happening on their network. Agency-installed sensors are deployed and perform an ongoing, automated search for known cyber flaws. “Results from the sensors feed into an agency dashboard that produces customized reports that alert network managers to their most critical cyber risks. Summary information feeds into a Federal enterprise-level dashboard to inform and provide situational awareness into cybersecurity risk posture across the Federal government,” according to the DHS.
Mobile security is complicated because agencies handle their mobile environments differently. “Some agencies standardize on a single platform, while others offer different handset and connection options to meet the needs of their various component sub-agencies,” Tenable’s Jensen noted.
Jim Quinn, senior advisor to CDM who was previously the program’s lead engineer, outlined the challenges, at a recent ATARC event.
“Are they doing it as BYOD [bring your own device], are they doing it as COPE [corporate-owned, personally-enabled], are they doing it as government-controlled? Each one of those has a different security posture,” Quinn said. Plus, different connection paths back to the agency present different threat paths, he noted.
Will CDM impact the effectiveness of mobile security?
The overarching goal of the DHS CDM Program Office is to overcome security challenges of the Federal enterprise. Adding visibility to the hardware, software, configuration, and vulnerabilities of mobile assets will increase cybersecurity across the Federal spectrum. “The CDM PMO plans to accomplish this in a step-by-step, programmatic fashion,” according to Jensen.