Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CDM: Making US Federal Agencies More AWARE of Cyber Exposure

At a recent Tenable sponsored MeriTalk event, Kevin Cox, program manager for Continuous Diagnostics and Mitigation (CDM), provided a preview of coming attractions regarding the CDM federal dashboard. As of this writing, the CDM dashboard is in its initial production stage, with agency exchanges being set up to aggregate the data to be fed into the dashboard. At least five agencies are reportedly on track to have data uploaded to the CDM dashboard during the first quarter of 2018.

Agency-Wide Adaptive Risk Enumeration (AWARE): New scoring algorithm for cyber hygiene

Looking ahead, Cox announced that Release 5 of the CDM dashboard, due out in the spring, will introduce a new scoring algorithm that provides a single-number summary of each federal agency’s “cyber hygiene” status. This new algorithm, which will be known as Agency-Wide Adaptive Risk Enumeration (AWARE), is an evolving concept intended to drive CDM toward the goal of improving the way the government measures its cyber risk – that is, the degree to which known vulnerabilities continue to provide an unprotected attack surface for potential adversaries. AWARE will provide a raw risk score, which gives an agency, at a glance, a rough idea of its overall cyber risk. Cox stressed that it was only a starting point toward achieving and maintaining good basic cyber hygiene. Plans call for AWARE to continue to be refined in subsequent releases, increasingly taking mitigation and other relevant factors into account. This initial release represents an important step toward the overarching goal of sharpening the federal focus on performing basic cyber hygiene.

Sometimes referred to as the “blocking and tackling” of cybersecurity, basic cyber hygiene includes foundational tasks essential to securing any environment, such as making sure that software, applications and operating systems are promptly and regularly updated with their most recent versions. The first step in achieving this goal is to identify all devices on the network – physical, virtual and transient. Once identified, devices are then scanned to assess known vulnerabilities. The Department of Homeland Security has set the goal for every government agency to perform these scans at least every 72 hours.

Once a vulnerability is identified, remediation is prioritized by the agency. Patching operational systems is disruptive. Without a rigorous patch management program, however, greater delays and more serious disruptions may result from exploits of these vulnerabilities. The recent Equifax breach provides an example of the potentially devastating impact of delayed patching. That massive data exfiltration was made possible because Equifax had not patched a known vulnerability, Apache Struts CVE-2017-5638, even though that patch had been available for two months prior to the breach.

CDM AWARE and Cyber Exposure: The path to strategic decision-making

The CDM AWARE initiative is an important effort to measure cyber risk in a meaningful way, which will become increasingly difficult – and important – as modern assets, such as cloud infrastructure, mobile devices and OT and IoT devices, make their way into the network environment. Delivering meaningful risk measurement in the modern IT environment is a cornerstone of an emerging concept known as Cyber Exposure. Building on vulnerability management through assessment of network assets and activity, Cyber Exposure provides strategic insight with an objective way to measure and compare cyber risk across the components of an organization or, in the case of CDM, the agencies and departments of the U.S. federal government.

Cyber Exposure, like CDM, happens in distinct stages:

  • Perform live discovery and vulnerability assessment that encompasses all traditional and modern assets to provide the visibility needed to determine what assets are on the network and to what extent they are secure and exposed.
  • Once this information has been collected, map it to the organization’s mission to help determine what’s important, including the asset’s use and criticality.
  • Enrich using other data sources, including whether the vulnerability is currently being exploited.
  • Prioritize scarce resources and efforts to mitigate those vulnerabilities that most directly affect the mission.
  • Perhaps most importantly, leverage the Cyber Exposure data to drive strategic discussions and investment decisions based on quantifying risks in the context of the organization and its missions.

At a high level, Cyber Exposure is analogous to IT Service Management (ITSM). Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and process for managing and measuring cyber risk against the modern attack surface. Quantifying Cyber Exposure in operational terms helps drive more productive and actionable discussion with an organization’s senior leadership. In adopting the AWARE algorithm, the CDM program is making a meaningful security move that introduces the U.S. federal government to the use of Cyber Exposure data as a key risk metric to be considered in future strategic decision-making.

Want to learn more?

For more insight into Cyber Exposure, visit: https://www.tenable.com/cyber-exposure

To learn more about how Tenable, and its flagship CDM platform, SecurityCenter Continuous View, can help your agency improve its security posture, visit: https://www.tenable.com/data-sheets/maximize-outcomes-for-cdm-and-much-more-with-securitycenter-continuous-view

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training