CDM 2020: “Operationalizing CDM” Through Risk-Based Vulnerability Management
The year 2020 is shaping up to be a pivotal one for the U.S. Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program as it takes significant steps toward realizing the program vision of empowering federal agencies to make informed cybersecurity risk decisions and fix their worst problems first.
The CDM program, administered by the U.S. Department of Homeland Security (DHS), delivers cybersecurity tools and services to all federal agencies. The year ahead represents a tipping point for this critical program in many ways. One of those ways, as described by CDM program manager Kevin Cox recently, is the ability to deliver actionable cybersecurity information through the CDM dashboard ecosystem, or what he characterizes as “operationalizing” CDM.
Cox refers to FY2020 as a “readiness year,” in which federal agencies will become familiar with the concept of scoring their cyber risk and begin to evaluate their performance against a federal average. The CDM FY2020 to-do list includes establishing a federal baseline for AWARE algorithm scores for participating agencies and providing guidance to agencies on ways to improve boost AWARE scores by enhancing software patching practices and other measures. Each federal agency sees its own AWARE score and a federal average score. The CDM Program Office also sees the data and offers feedback to agencies on how to improve scores.
So, what goes into an AWARE score anyway? While refinements are anticipated, AWARE 1.0 currently provides a raw risk score, which gives an agency a rough idea of its overall cyber risk. At a high level, according to the Cybersecurity and Infrastructure Security Agency (CISA), AWARE categorizes vulnerabilities in three ways:
- Software Vulnerability (VUL) – Individual CVEs (Common Vulnerabilities and Exposures) identified on network endpoints by vulnerability scanners
- Configuration Settings Management (CSM) – Vulnerabilities that fail a CSM check are scored by assigning a risk value within the Common Vulnerability Scoring System (CVSS) scale based on severity
- Unauthorized Hardware (UAH) – Hardware devices not assigned to a Federal Information Security Modernization Act (FISMA) container
AWARE then assigns scores for the above three categories of vulnerability based on four metrics:
- Base – The base CVSS (Common Vulnerability Scoring System) value, scaled to prioritize the worst problems first
- Age – Age measured from the CVE publication date, with impact increasing over time
- Weight – Weight incorporating threat intelligence and other inputs
- Allowable Tolerance – A “grace period” between the score appearing on the agency’s dashboard and the federal dashboard that enables the agency to patch before a vulnerability impacts its Federal AWARE score
The vision for AWARE is to become an essential tool for federal agencies to make informed risk decisions and fix their worst problems first. At Tenable, we call this risk-based vulnerability management, and we have designed our Risk-Based Vulnerability Management Solution to deliver the type of actionable information that DHS is hoping to achieve with AWARE. Every federal agency that receives AWARE data about vulnerability priorities can also receive Tenable risk-based vulnerability prioritization data through its Tenable.sc platform. Leveraging this investment can deliver a substantial head start in understanding how to fix the vulnerabilities that pose the most risk first, resulting in superior AWARE scores as well as a more secure environment.
The Tenable Risk-Based Vulnerability Management Solution, like AWARE, includes CVSS data as a factor in its scoring. Recognizing the shortcomings of CVSS as a guide to vulnerability prioritization, however, the Tenable Risk-Based Vulnerability Management Solution goes far beyond CVSS to deliver a complete view that enables informed risk-based decision-making. The solution uses machine learning analytics to correlate vulnerability severity, threat actor activity and asset criticality to predict and manage issues posing the greatest risk.
Effective risk-based vulnerability prioritization must identify the few vulnerabilities with the highest likelihood of being exploited and include asset criticality. Tenable automates this by using data science and machine learning models to analyze more than 150 factors and output two risk-based metrics: the Vulnerability Priority Rating (VPR) and the Cyber Exposure Score. The VPR combines multiple vulnerability severity and threat intelligence factors to determine the likelihood of a vulnerability being exploited. The Cyber Exposure Score takes this further and automatically calculates asset criticality to represent the impact and combines the asset criticality rating with the VPR to determine each vulnerability’s risk to the agency.
Perhaps most importantly, Tenable does not limit Cyber Exposure Score information to the enterprise or agency level. Organizations can configure the Tenable Risk-Based Vulnerability Management Solution to deliver actionable Cyber Exposure Score data at any desired organizational level, enabling an extremely granular view of the security posture within the agency, and helping agency decision-makers apply limited resources where they are most needed. This achieves the vision that Kevin Cox has expressed for AWARE to “get it down to the business system level.”
To learn more about risk-based vulnerability management, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management
For insights into how to go beyond CVSS to enable informed risk-based prioritization decisions, read the ebook, Focus on the Vulnerabilities That Pose the Greatest Risk.
Related Articles
- Federal
- Public Policy
- Vulnerability Management