The DHS Continuous Diagnostics and Mitigation (CDM) Program is a comprehensive, risk-based security approach that enables federal agencies to quickly address threats in their environment. The CDM Program provides a dynamic approach for strengthening government networks and systems by delivering cybersecurity tools, integration support, dashboards, and a framework around it all – while enabling agencies to improve their security posture and streamline security compliance capabilities and reporting.
CDM and tools available span a wide array of cybersecurity areas, from very basic to very technical. At a basic level, CDM asks:
- Phase 1: What’s on the network?
- Phase 2: Who’s on the network?
- Phase 3: What’s happening on the network?
- Phase 4: How is the data protected?
Phase 1- the most foundational element within CDM – is the ability to identify all devices and users on the various government networks or answer, “What’s on the network?” There are sub-categories in this phase to help narrow the focus:
- Hardware asset management (HWAM)
- Software asset management (SWAM)
- Configuration settings management (CSM)
- Software vulnerability management (VUL)
- Enterprise mobility management (EMM)
As CDM evolves, it also delivers identity and access management, network security management, and data protection management. But as agencies adopt and mature CDM capabilities, they’re still finding challenges related to asset management and the ability to uniquely track, accurately verify, and validate data attributes associated with agency devices.
Let’s define that first element within CDM Phase 1- HWAM – and explore three practices that agencies can follow to build the foundations of a successful CDM program.
What’s CDM HWAM?
What’s CDM HWAM?Aside from an acronym that, when said out loud, reminds me of a noise you’d find depicted in an old school superhero comic, hardware asset management (HWAM) is the most foundational part of CDM Phase 1.
HWAM helps agencies address attacks that exploit unmanaged or unauthorized devices. It aims to give security teams greater visibility into the assets and users on their networks so they can proactively reduce vulnerabilities and thwart attacks.
The goal of HWAM is to first understand and identify all of your hardware assets, then build processes and procedures around managing, maintaining, and securing those assets.
To successfully implement HWAM security, DHS identified three critical practices for federal cybersecurity teams.
HWAM Practice 1: All Authorized Devices (i.e., Hardware Assets) Are in the Hardware Asset Inventory
While this may seem obvious, in the context of massive modern government networks, it’s complex to say the least. When compiling a hardware asset inventory, agencies should think about things like:
- Where do I find all of the information on the hardware assets?
- How do I compile the data? And where do I compile it?
- Is there a process in place for naming conventions and how we organize the data?
- How often do we update the inventory?
Aside from creating processes and policies around storing and organizing the data, the first step is simply finding all of the places where information on hardware assets could be stored. This may require involving many different IT and security teams and aggregating databases, spreadsheets, configuration management databases (CMDBs), etc.
The good news? all the data you need is there — it may just be a bit of a scavenger hunt to find it. Once you have the data, you can then focus on how and where to store it, how to organize it, and really, how to make sense of it all.
HWAM Practice 2: Only Authorized Hardware Assets Are Allowed on the Network
Practice 2 takes HWAM a step further and is meant to look at the policies surrounding hardware assets that the organization is responsible to secure, but does not directly host. The primary assets to think about here are cloud services and employee-owned hardware devices (phones, laptops, etc.) that may connect to the network.
A recent survey of DoD IT professionals found that more than 50% of their infrastructure is now cloud hosted. HWAM Practice 2 ensures that when assets move to the cloud, security comes with them. It raises questions like, “What process do we follow before allowing externally managed hardware assets to access our network services?” or, “Do we allow externally managed hardware assets to connect to the network?” Just getting agencies to a point where these questions can be easily answered is incredibly important before even investing in specific cloud security platforms.
The second category of assets that are considered in Practice 2 are employee-owned hardware assets. In the earlier referenced survey, revising BYOD policies was the No. 2 priority when preparing for employees to return to work. Aside from using CDM tools to track, inventory, and monitor the external devices, organizations should implement rules of the road around these devices. Employees should have a solid understanding of what the policies are and what they mean to them.
HWAM Practice 3: All Authorized Hardware Assets Have a Manager Assigned to Them
Following practices 1 and 2 ensures visibility of assets and users that interact with the network and data. So what’s left for Practice 3 then?
Well, it’s pretty simple (in theory) – it’s ensuring there’s a formal process to manage and maintain hardware assets.
There are many ways to go about this. Some organizations have a holistic approach that puts one team in charge of all of it, while others give responsibility to the teams that own the assets. Figuring out and implementing these processes will be an exercise of understanding who owns what, who should manage what, and — most importantly — who should be accountable.
How Can Cybersecurity Asset Management Help With HWAM?
HWAM helps agencies establish policies and processes around compiling an asset inventory, managing external devices, and maintaining all of the hardware assets. If the agency doesn’t already have these policies and processes in place, then it’ll take a holistic approach to define the roadmap for getting there with all stakeholders on board.
While there’s no “easy button” to organize the teams and processes, there are tools that help in other areas of HWAM – the finding, compiling, organizing, securing, monitoring, and maintaining the assets themselves. One approach to this is cybersecurity asset management. It’s the process of gathering asset data (with a primary focus on hardware, software, cloud instances, and users) to strengthen core security functions, including HWAM.
By connecting to all of your existing security and management tools, a cybersecurity asset management platform can identify all of your hardware assets, categorize and organize them for you, and enable you to find and take action on devices that have deviated from your security policies.
