Announced in early 2013, the $6 billion multi-phase DHS CDM program is focused on securing networks and systems across government. It covers some 169,000 tools and services, and it is managed by the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) while the General Services Agency runs the acquisition contract.
Funding is provided to most civilian agencies. It flows through DHS and covers most, though not all, of what’s required to deploy CDM. And although Phase 2 of the program is just getting underway, the current contract expires next summer, so current deployment efforts are also informing plans for the next-generation acquisition vehicle.
A recent FCW article, CDM in the Trenches, by Troy Schneider, recounted a recent gathering of CDM stakeholders to discuss their experiences to date.
A common refrain was a combination of lack of resources and overwhelming number of tools was making deployment of CDM very challenging.
An inherent problem is how CDM’s controls-based approach is focused on securing network and systems but not the services that run on top of these environments. A chief concern being that a controls-based approach, by default, is going to devalue more holistic security efforts. CDM is focused on securing networks and systems but what the agencies are really trying to do is secure the services and applications that run on these systems.
Another issue is that CDMs phase-based approach covers most, but not all, of what is required to deploy CDM. As Phase 1 expires, not everyone will have access to the tools and agencies are going to have to come up with funding to buy them. And for agencies that did buy the tools, many are remaining on the shelf, since the professional services supporting them have not been contracted for yet.
So as the agencies struggle to secure their networks and systems as part of CDM, they are also faced with effectively securing their services. CDM is all about compliance. So if they really want to secure their services, CDM alone is not the answer.
Waverley Labs believes the solution lies in finding a willingness to try a new approach. There is a way to be secure networks, systems and services in concert with CDM only using far fewer tools.
The key is the ability to define the architecture to secure your servers with the services running on top allowing them to leverage CDM with the funds they already have.
The software defined perimeter (SDP) is an emerging solution that does just that. The SDP, or “Black Cloud,’ shrouds the application (or IT environment) to all but authorized users and devices. It automates the analysis of applications and assets to identify critical points of failure. This outcome-based approach, in concert with the NIST cybersecurity framework, facilitates an agency to choose and match the right tools for mitigating and lowering the risks identified, and in what priority.
SDPs are emerging as a key component in a new security paradigm for reducing and eliminating risk. They incorporate industry input and lessons learned from successful commercial implementations of SDP by leading enterprises such as Verizon, Coca-Cola, Mazda, and Google.
SDPs employ an authenticate-first approach by securing every connection to a predetermined service, application or critical infrastructure. The primary effect of the SDP is that it allows good packets and connections while dropping bad packets and preventing bad connections.
SDPs continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion attempts to date – all unsuccessful.
For more information, check out this white paper on Software Defined Perimeters.
Also feel free to check out the industry’s first open source reference implementation of SDP developed by Waverley Labs. The reference architecture and repository can be accessed and downloaded here.