Managed by the Cybersecurity and Infrastructure Security Agency (CISA), the Continuous Diagnostics and Mitigation (CDM) Program is the US Department of Homeland Security’s effort to reduce cyber risk and provide visibility of network security across US government agencies.
CDM’s objectives are to:
• Reduce agency threat surface
• Increase visibility into the federal cybersecurity posture
• Improve federal cybersecurity response capabilities
• Streamline Federal Information Security Modernization Act reporting
CDM Capability Areas
CDM delivers capabilities in five key Areas:
• Data Protection Management
• Network Security Management
• Identity and Access Management
• Asset Management
Results from the first four CDM Capability Areas are fed into a dashboard at an agency level, producing bespoke reports that alert network managers of their most critical cyber risks. Summary information of the agencies’ performance is then displayed in a federal enterprise-level dashboard, providing aggregated situational awareness of the cyber security risk posture across the US federal government as a whole.
Actual vs Desired State
A key principal of CDM is to determine and compare ‘desired state’ attribute values with ‘actual state’ attribute values of a network.
Appropriate NIST 800-53 controls are used to help establish the actual versus desired state according to CDM. Per the requirements of CDM, the actual state of each agency’s network should be determined every 72 hours.
Automating NIST 800-53 controls with Nipper
The National Institute of Standards and Technology’s Special Publication 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems.
Taking just minutes to set up and generate, our virtual modelling technology automates line-by-line analysis of device configurations, detecting precise security risks and evidencing compliance with 33 NIST 800-53 controls, in the following control families:
• AU – Audit and Accountability
• CM – Configuration Management
• IA – Identification and Authentication
• PM – Program Management
• RA – Risk Assessment
• SC – System and Communications Protection
• SI – System and Information Integrity
• SA – System and Services Acquisition
By using Titania Nipper to evidence compliance with NIST 800-53 controls related to core network devices in the above control families, users can assess performance against the CDM Asset Management Capability, and specifically the Configuration Settings Management (CSM) and Vulnerability Management (VUL) capabilities.
Many of these NIST 800-53 controls can also be mapped to the security practices within the DoD’s Cybersecurity Maturity Model Certification (CMMC) framework, meaning that defence supply chain companies can also automate much of the auditing and track the cyber compliance with the CMMC framework.
Nipper in 2 minutes
Audits: Firewalls | Switches | Routers
We offer software that is easy to demonstrate, integrates with SIEM / SOAR systems and is easy to configure. Your customers will see how they can save 3 hours per audit, per device by using Titania.