What is Continuous Diagnostics and Mitigation (CDM)?

Continuous Diagnostics and Mitigation (CDM) helps strengthen the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. CDM capabilities and tools help government agencies:

• Find cybersecurity risks on an ongoing basis
• Prioritize those risks based on potential impacts
• Enable cybersecurity personnel to focus on the most significant problems first

CDM capabilities help agencies comply with mandates from the Office of Management and Budget (OMB) and the Federal Information Security Modernization Act (FISMA) that focus on continuous monitoring to keep information and systems safe.

To implement CDM, agencies use commercial off-the-shelf tools that provide enterprise-wide visibility of what assets, users, and activities are on their networks. This actionable information helps agencies to effectively monitor and rapidly respond to cyber incidents. You can learn more about the federal CDM initiative at the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Agency (CISA) websites.

How CDM works at CMS

At CMS, we use Continuous Diagnostics and Mitigation tools to support the overarching Cyber Risk Management Program, which focuses on proactive, risk-based decision making. This is an important part of our commitment to protecting the sensitive information entrusted to us by the people we serve. Healthcare systems continue to be a primary target for hackers with an ever-growing spectrum of cyber threats. To be vigilant in protecting patient data, CMS Business Owners need to build security automation into their systems through programs like CDM.

To implement CDM, we use the security capabilities at each CMS data center to create an integrated ecosystem of overall continuous monitoring across the agency. CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that:

• Alert system managers about risks for remediation
• Report security / privacy posture to CMS
• Share aggregated information at the federal level

This process allows System / Business Owners to make risk-based decisions quickly and prioritize the most significant threats first. All CDM data from CMS is also shared to federal dashboards, which are used to provide situational awareness of the current cybersecurity posture of the federal government as a whole.

CDM implementation

The CDM program is being implemented at CMS in four phases, which will build on each other to provide a complete picture of the assets, users, activities, and data on CMS networks.

Phase 1: What is on the network?

This phase is focused on providing information security continuous monitoring (ISCM) tools and capabilities to support asset management, security configuration, and vulnerability scanning. This includes:

• HWAM – Hardware Asset Management
• SWAM – Software Asset Management
• CSM – Configuration Settings Management
• VUL – Vulnerability Management

Phase 2: Who is on the network?

This phase is focused on who is accessing the system, what their privileges are, and how they are trained. It includes:

• TRUST –Access Control Management
• BEHV – Security-Related Behavior Management
• CRED – Credentials and Authentication Management
• PRIV – Privileges

Phase 3: What is happening on the network?

This phase is focused on enhancing boundary protections and event management capabilities. It includes:

• Planning for threats and events
• Responding to threats and events
• Generic auditing and monitoring
• Documenting requirements, policies, etc.
• Quality management
• Data loss detection
• Boundary protection (Network, Physical, Virtual)

Phase 4: How is data protected?

This phase is focused on protecting and encrypting data on federal networks. It includes:

• Enhanced data encryption
• Mobile security
• Risk management
• Data loss prevention tools

Continuous monitoring for information privacy

In addition to protecting systems against security vulnerabilities, CMS takes a proactive approach to protecting the privacy of personal and health information. We do this through the CMS Privacy Continuous Monitoring Program, which will eventually be merged with the CDM program. Currently, there are some privacy controls that can be tested under CDM. We are working to mature the capabilities across both of these programs.

The future of CDM at CMS

CDM is a part of a multi-year effort to modernize CMS’ overall approach to information and system security. Instead of taking a reactive approach focused on “compliance”, we are moving toward a proactive approach that focuses on continuous evaluation, identification, and management of risk. This approach helps us:

• Build security into development pipelines (DevSecOps)
• Tailor system testing (such as Cybersecurity and Risk Assessment Program (CSRAP) to more specific uses
• Expedite the ATO process 
• Approve and onboard more systems to Ongoing Authorization

All of this means that information security and privacy activities at CMS will be aligned with federal standards for a risk-based approach, which are outlined in the NIST Cybersecurity Framework and the Federal Information Security Management Act (FISMA).