Why is database scanning important?

CMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property. 

Scanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).

Why use DbProtect?

ISPG provides Trustwave DbProtect (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.

The DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.

Trustwave DbProtect is:

• Compatible with both on-premises and cloud-based databases

• Free for all systems at CMS

• Easy to request through ServiceNow or SIGNAL

When do I use DbProtect?

At CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.

DbProtect is available even if you’re not preparing for a CSRAP assessment. Any time you’re adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.

How do I get started?

To request a DbProtect scan of a database or large data store, complete the ServiceNow workflow (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.

In order to access the workflow in ServiceNow and request a scan, you will need the following CMS job codes:

• SNOW_PRD

• SNOW_TRG

This workflow is also accessible on SIGNAL as a TO-01 artifact in support of a CSRAP assessment.

Contact

Questions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at VAT@cms.hhs.gov.

This post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.