From: Defense Information Systems Agency (DISA)
Continuous Monitoring and Risk Scoring (CMRS) allows visibility of cyber risks and demonstrates the ability to use DOD Enterprise security tools and content. The CMRS pilot will assess continuous monitoring capabilities to support a phased pilot implementation. This pilot will leverage implementation efforts from four use cases: IAVM Reporting, CCRI Automation, Certification and Accreditation, and Net Assurance/Ops. This pilot will be used to demonstrate the effectiveness of a risk management approach to cyber security, and the ability to maintain an accurate picture of an organization’s security risk posture, provide increased visibility into assets, and leverage automated data feeds to quantify risk.
STANDARD FEATURES
CMRS currently provides several capabilities and services:
- Provides CC/S/A/FAs with a consolidated asset visibility for HBSS managed and unmanaged hosts.
- Scores risks related to Windows STIG and Patch compliance
- Scores risks for Antivirus and HBSS point product compliance
- Provides risk scores for COCOMS, CC/S/A/FA, and/or enterprises
CMRS also leverages the Portable Risk Score Manager (PRSM) tool to view the risk scores for the organization. PRSM utilizes the Operational Attribute Module (OAM) and the Assessment Results Consumer and Analysis Tool (ARCAT) to arrive at the data results displayed in the risk scoring tool.
PILOT ACTIVITIES
CMRS pilot will leverage implementation efforts from four use cases: IAVM Reporting, CCRI Automation, Certification and Accreditation, and Net Assurance/Ops.
- IAVM Reporting Use Case
The IAVM Use Case will be a phased evolution of IAVM reporting to using continuous monitoring capabilities.- Phase 1: preparatory phase in which DISA obtains approval from USCYBERCOM to eliminate singular, manually-entered POA&Ms.
- Phase 2: transition phase in which DISA begins using continuous monitoring automated capabilities to report IAVM compliance to USCYBERCOM.
- Phase 3: institutionalize phase in which DISA will evolve IAVM reporting to the USCYBERCOM IAVM-Next Generation process (which is based on vulnerability exposures, threats, and impacts).
- CCRI Automation
CCRIs will leverage continuous monitoring automation in a three phased approach:- Phase 1: DISA will test existing SCCVI (Network Scanner) automation with VMS to minimize manual data entry efforts during CCRI after action process.
- Phase 2: DISA will deploy Phase 1 capability to DoD as an optional CCRI after action process for all CCRIs.
- Phase 3: CCRIs will perform research and develop way forward to use HBSS and the future network scanner.
- Certification and Accreditation
The Certification and Accreditation (C&A) continuous monitoring use case is treated as two distinct efforts with a phased approach:- Effort 1: a four phased approach for DISA to fully integrate HBSS continuous monitoring capabilities into existing C&A process and tools (DIACAP using VMS and eMASS).
- Effort 2: an effort to support the DoD and Federal Government initiatives to transform from current C&A process to a continuous authorization process, modeled after the NIST Risk Management Framework (RMF). The RMF defines a continuous process to assess, authorize, and monitor system risks.
- Net Assurance/Ops
The Net Assurance/Ops use case will support the development of Operational Capabilities using Continuous Monitoring- Phase 1: will use existing HBSS continuous monitoring capabilities to assist in the development of trending and data mining requirements.
- Phase 2: will use enhanced data mining capabilities to support the development of OPs countermeasures.
- Phase 3: will train Net Assurance continuous monitoring users to use the data in support of countermeasure efforts.
Leave a Reply