Ready to move continuous monitoring to the cloud?
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- Sep 25, 2014
Agencies are headed to the cloud, but security and ensuring that the requirements of Continuous Diagnostics and Mitigation (CDM) program can be met are challenging areas that can slow down cloud adoption.
Since agencies are required to look to the cloud first for services, why not seek out cloud CDM providers?
In fact, agencies are considering the use of cloud CDM providers, but they must first determine the types of assurances they need to guarantee that the CDM provider does not breach vulnerability information. So, what are the options, and do CDM services exist that are available for agencies to try at little or no cost?
Cloud providers in general are required to provide evidence of their compliance with the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology regs, as well as the supplementary security and privacy controls through the Federal Risk and Authorization Management Program (FedRAMP). As part of this process, the cloud provider is expected to have features consistent with the continuous monitoring capabilities described in the FedRAMP controls and compatible with the purchasing agency’s CDM program.
What happens if an agency selects a CDM provider that offers services through the “cloud?”
According to FedRAMP, the service would most likely qualify as a software-as-a-service (SaaS) offering, since vulnerability scanning tools, inventory tools and configuration management tools are all software at their core. A cloud service would simply provide the scanning and issue the results through a web browser. This means a CDM cloud provider would be expected to adhere to FedRAMP and go through the identical process as any other SaaS provider. A Third Party Assessment Organization (3PAO) would be expected to perform a full assessment, and the cloud CDM provider would be expected to perform continuous monitoring of its own assets and report the information to the agency (in addition to the information about the agency assets being scanned).
But there is a major issue facing agencies that consider a cloud-based security services provider. FedRAMP, in its present form, is only designed for information systems at the FIPS 199 low and moderate impact ratings, or for those systems whose compromise would have only “limited” or “serious” effects. This means if an agency has FIPS 199 high impact systems (ones whose compromise would have severe or catastrophic adverse effects), the cloud-based CDM provider could not scan those systems as it is not protected sufficiently to process or store vulnerability information about high impact systems. This may pose an interesting and complicated set of choices for agencies.
Agencies may either assess and authorize the cloud provider under the traditional process, described in NIST special publication 800-37 and 800-137, or only use the cloud-based CDM provider for moderate and low impact systems. The process of authorizing high impact systems is extremely challenging for an in-house system and can become complex and arduous when using an outsourced provider. Conversely, building a separate CDM infrastructure for high impact systems while using a cloud provider for moderate and low systems doesn’t make much sense either.
Assuming the cloud-based service provider can meet the agency’s FIPS 199 levels, the next question relates to cloud-to-cloud interactions. As one cloud provider will be scanning and testing another, the agency must ensure that sufficient contract language is included for both the CDM cloud provider and the clouds being monitored by the CDM cloud.
The CDM cloud provider should be insured in the event it causes downtime to a target cloud provider. The agency must then make certain that it has sufficient requirements in its contracts to ensure that the cloud providers can accept CDM from any agency-sponsored CDM cloud provider.
Once the FedRAMP, FIPS-199 and legal considerations are met, agencies can start looking at the interoperability and reporting challenges of using a cloud-based CDM provider. Agencies report information to DHS and OMB through CyberScope and the OMB MAX portal, the majority of which is submitted in a Security Content Automation Protocol (SCAP) or Lightweight Asset Summary Results Schema (LASR) format for consistency.
The agency must ensure it has a consistent format that is mandated across its cloud providers and its cloud-based CDM providers. It must also consider how it is going to aggregate information from various sources such as the cloud-based CDM provider, agency-based tools and possibly the self-attestation reports from cloud providers. These feeds must be combined with consistent analysis for vulnerability, impact, likelihood and threats to ensure that the highest risks are treated quickly.
The Department of Homeland Security has started a “cyber hygiene” program which, in its infancy, performs vulnerability scanning of external assets based on a schedule determined by DHS and the agency. These reports are delivered via secure format to the agency for analysis and remediation. Agencies interested in using a CDM cloud service should consider starting with DHS’ cyber hygiene program to get a feel for what types of tools, technology and contractual challenges may be ahead when engaging the services of a cloud-based CDM provider. DHS needs to ensure that cloud-based CDM offerings are included in its blanket purchase agreement for CDM tools and services.
Agencies stand to gain great efficiencies and cost savings through the adoption of cloud. CDM offered through the cloud holds great promise as well, but holds great risks if not performed correctly. Agencies can ease the transition by ensuring they have the appropriate FIPS 199 alignment, legal requirements, contract considerations, technical compatibilities and experience prior to engaging the services of a cloud-based CDM. DHS’ cyber hygiene program provides an excellent opportunity for agencies to experiment with a cloud-like CDM provider at little to no cost. From there, agencies will be in a better position to determine what cloud-based CDM providers would look like on the CDM tools BPA, and how they can best acquire them.