AWS Government, Education, & Nonprofits Blog

How to Apply the U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation Programs on AWS

Continuous Diagnostics and Mitigation (CDM) is an important part of the federal government’s cybersecurity strategy, and it’s getting a boost in visibility since the House passed the Advancing Cybersecurity Diagnostics and Mitigation Act (H.R. 6443). Among other things, this Act directs the U.S. Department of Homeland Security (DHS) to develop and provide the capability to collect, analyze, and visualize government-wide information relating to security data and cybersecurity risks and to make these program capabilities available for use by any federal agency.

This blog post demonstrates how you can start a CDM program—or extend an existing one—within your AWS environment. AWS offers both cloud-native solutions and AWS Marketplace partners to help you meet requirements as you work to become compliant.

What is CDM?

CDM is an acquisition program intended to safeguard, secure, and strengthen cyberspace and the security posture of federal networks in an environment where cyberattacks are continuously growing and evolving. The program is constructed in four phases:

  1. The first phase requires you to understand what assets need to be protected.
  2. The second asks you to identify the employees allowed to do work on these assets.
  3. The third phase requires you to identify what’s actually happening on the network.
  4. The fourth phase requires you to identify how the data accessible over this network is identified, cataloged, and protected based on its sensitivity.

CDM is also an architecture focusing on the flow of data from sensors to dashboards at different visibility levels. It identifies the actual versus desired states of system security through the development of a machine-readable policy engine.

CDM takes tools and sensor data (Layer A) from components usually distributed throughout your enterprise. This is the primary feedback loop for situational awareness of IT environments for security, management, and financial decision-making. Sensor data feeds up to a data integration, normalization, and orchestration layer (Layer B). The aggregated, normalized, and orchestrated data from Layer B feeds agency-level visualization and reporting via an agency dashboard (Layer C). The agency dashboard feeds the federal enterprise dashboard (Layer D). The federal enterprise dashboard is the locus of policy implementation intended to use what CDM calls a “machine-readable policy engine” that can take the northbound sensor data from Layer A and apply it to a rules engine to create policy that can be pushed back down the layers in the CDM architecture.

Using AWS resources to help you become CDM compliant

So how do you utilize CDM? Well, it’s likely that you want to apply CDM requirements to your cloud architecture planning, so mapping the CDM requirements to cloud services and features is a necessary first step. AWS has many services and features that can help. The table below is a tool you can use to gain high-level perspective on how you can use AWS resources as you work toward CDM compliance.

CDM Requirement AWS Service
HWAM – Hardware Asset Management You can use application programming interface (API) calls, command-line interface (CLI) calls, AWS Systems Manager, or AWS Config for scheduled, automated, or ad-hoc inventory collection. At any point in time, you can have an accurate inventory of all IP assets in your AWS accounts.
SWAM – Software Asset Management AWS Config and Systems Manager integrate both on-premises and cloud resources into a unified software asset management capability for government. AWS Config can manage all AWS assets and Systems Manager can manage on-premises assets.
CSM – Configuration Settings Management AWS Config manages and evaluates AWS resource configurations for desired settings and identifies relationships between resources. AWS Config integrates with Systems Manager to manage Amazon Elastic Compute Cloud (Amazon EC2) instances and on-premises server configurations.
VUL – Vulnerability Management Amazon Inspector provides manual or automated inspections of assets, identifying vulnerabilities based on Common Vulnerabilities and Exposures (CVE) controls, Center for Internet Security (CIS) controls, AWS best practices, and behavioral analysis. AWS Trusted Advisor provides data on vulnerabilities like Amazon Simple Storage Service (Amazon S3) bucket permissions, security groups, and AWS Identity and Access Management (IAM) use. AWS Config provides data on the compliance of AWS services based on policy. Amazon GuardDuty identifies current threats in your virtual private cloud that are being probed, providing severity levels for vulnerabilities based on threat intelligence feeds and the NIST Common Vulnerability Database (CVD) and Common Vulnerability Scoring System (CVSS) .
TRUST – Access Control Management (Trust in People Granted Access) TRUST is focused on government hiring controls. AWS provides the ability to integrate services like Amazon API Gateway, IAM, identity provider (IdP), and federated directory services with internal eligibility systems. This integration can provide a workflow that does not allow IAM or federated credentials to be activated or permissions to be enabled until certain requirements are met. AWS also provides the ability to build TRUST systems on AWS that are highly available and can scale with government needs.
BEHAVE – Security-Related Behavior Management BEHAVE is focused on documenting that authorized users exhibit appropriate security-related (role-based) behaviors based on defined policies. Customers can encode their existing policies into their AWS environment through IAM policies, AWS CloudFormation templates, and serverless workflows using technologies like Amazon API Gateway, AWS Lambda, AWS Step Functions, and Amazon DynamoDB tables. AWS provides government agencies the ability to create policy as code to validate all onboarding policy and training requirements are met prior to credentialing and allowing authentication and authorization to systems. With AWS, you can also integrate big data and machine learning capabilities to develop insightful systems that use digital behaviors (from sites like Twitter and Facebook) with government policy requirements.
CRED – Credentials and Authentication Management AWS provides the capability to collect data associated with credentials issued to users, the credential type required for an attribute, actual attributes the user is assigned or authorized, and locally defined policies for authentication, in order to provide measurable data elements for the creation of automated security checks. AWS can provide automation, logging, reporting, and auditing services that support these functions. Services and capabilities like the AWS well-architected framework, Amazon Simple Notification Service, Amazon Simple Queue Service, API Gateway, Step Functions, Lambda, Amazon CloudWatch, and AWS CloudTrail can provide flexibility and enterprise visibility into your credentials and authentication management systems.
PRIV – Privileges AWS services provide logging, auditing, alerting, and automation for activities and events based on use of privileges. AWS allows you to develop policy as code that can integrate AWS services to monitor, alert, audit, and log NIST 800-53 and FISMA control policy compliance. Leveraging well-architected patterns, following least-privilege designs, using IdP or Active Directory federation, and incorporating AWS Config, Trusted Advisor, and policy as code via IAM, S3 bucket policy, Lambda, and Step Functions provides a powerful capability in this category.
BOUND (How is the network protected)

  • BOUND-F: Network Filters and Boundary Controls
  • BOUND-E: Cryptographic Mechanisms Controls
  • BOUND-P: Physical Access Controls

BOUND-F: AWS provides granular stateful (security groups) and stateless (Network Access Control Lists (NACL)) packet filtering capabilities, network address translation (NAT) services and web application firewall (WAF) capabilities for IPv4 and IPv6 flows. AWS EC2-native networking capabilities eliminate the IP spoofing and promiscuous mode “eavesdropping” that traditional firewall features allow.

BOUND-E: AWS services provide encryption in transit using TLS and at rest using either AWS Key Management Service (KMS) or a third-party Key Management solution that you can run in the cloud.

BOUND P: AWS manages the physical access to our data centers. You benefit from the physical controls we put in place. In addition, your on-premises physical control systems can use our APIs to provide integration with AWS cloud services.

MNGEVT –Identification of security threat vectors, detection of security violation events, and classification of event impacts.

AWS offers Amazon Inspector and GuardDuty for the identification of security threat vectors, detection of security violation events, and classification of event impacts.

Amazon Inspector identifies CVE, CIS, and AWS best practice-based threats that can be automated for remediation.

GuardDuty provides aggregated virtual private cloud (VPC), domain name system (DNS), and CloudTrail log analysis, machine learning algorithms for behavioral analysis, and third-party threat intelligence feeds. It combines with CloudWatch, Step Functions, and Lambda to deliver actionable automated intelligence to detect, classify, and respond to current threats.

Another core aspect of identifying security threat vectors is the ability to centrally collect, analyze, protect, and manage enterprise logging that identifies what is really happening on your deployed systems. AWS provides a portfolio of technologies and the guidance on how to design them in a well-architected manner.

Operate, Monitor, and Improve (OMI): In-depth security root cause analysis, prioritization of security mitigation response/recovery, notification, and post-incident activity. AWS provides the tools for innovation in government security compliance, monitoring, detection, incident response, logging, alerting, and automation. Common AWS services and tools for root cause analysis, prioritization of security mitigation response and recovery, notification, and post-incident activity are CloudWatch (Metrics, Alerts, Events), GuardDuty, and Amazon Inspector. GuardDuty events include severity levels based on the NIST CVD Common Vulnerability Scoring System. Amazon Inspector also provides severity information for CVE findings. Combined, GuardDuty and Amazon Inspector provide prioritization capabilities for mitigation and response capabilities. AWS also provides native integration with Lambda and Step Functions to orchestrate the remediation workflow of potential threats.
Design and Build in Security (DBS): Software acquired or newly developed to ensure that security and privacy is built in during all stages of the System Development Lifecycle (SDLC). Developing applications on AWS using well-architected principles that incorporate Software Development Life Cycle (SDLC) and Supply Chain Risk Management (SCRM) concepts allows government customers an agile environment for SecDevOps. Integrating AWS serverless services into an application architecture reduces the attack surface, increases the scalability and availability of the application, and introduces visibility into the working of the application at multiple levels that can be integrated and automated. At the lowest layer in the shared responsibility model, AWS provides many compliance capabilities (SOC, PCI, HIPAA, FedRAMP) that customers can inherit to increase the pace of secure app dev innovation. AWS offers private networking access to reduce the attack surface.

Conclusion

CDM is both a program and an architecture designed to improve the security, visibility, and agility of cyber responsiveness within the federal government. With the recent legislative efforts of H.R. 6443, CDM will get more visibility. AWS delivers a broad portfolio of IT services that provide numerous security and compliance capabilities in support of CDM.

Read more on the AWS Security blog in the post titled How federal agencies can leverage AWS to extend CDM programs and CIO Metric Reporting.”


A guest post by Darren House, Senior Solutions Architect, AWS