This post appears as part of a series about the foundations of the DHS CDM Program. In the first and second blog, we covered what the DHS CDM Program is all about, and explored the first two foundational elements – hardware asset management (HWAM) and software asset management (SWAM). In today’s blog, we take a close look at the CDM capability specific to vulnerability management (VUL).
As federal agencies adopt and mature CDM capabilities, they’re still finding challenges related to asset management (both hardware and software) and the ability to uniquely track, accurately verify, and validate data attributes associated with agency devices.
The CDM Vulnerability Management (VUL) supports the ongoing assessments of a grouping of security controls that are employed to give organizations visibility into the:
In short, CDM VUL helps protect your assets from new and known software vulnerabilities. VUL joins with HWAM, SWAM, configuration settings management (CSM), and enterprise mobility management (EMM) to make up the asset management capabilities of the CDM program.
CISA outlines 3 key vulnerability management practices to ensure your agency is protected and compliant with CDM guidelines.
The first practice for VUL is to receive threat and vulnerability information from various sources including information sharing forums, third-party vendors, and government sources like the National Vulnerability Database (NVD), which contains a list of common vulnerabilities and exposures (CVE).
When agencies are putting this practice into place, CISA recommends asking questions such as:
Asking these questions of your own capabilities and operations helps your team ensure they have the data and information needed for vulnerability management. Effective vulnerability management is dependent on two things:
While Practice 1 focuses on ensuring your security and compliance teams have the data they need, Practice 2 looks at your agency’s processes around vulnerability management.
Having a vulnerability management plan enables your agency to scale vulnerability responses and aids in maintaining internal and external SLAs.
Practice 2 is intended to help departments and agencies understand their protocols for how they put the data gathered in Practice 1 into effect. For example, when a new vulnerability is identified, what tools does our team use to evaluate its potential impact? Is there one centralized source of the truth for our asset information? How long does it take for our team to identify and address impacted devices and users? How are different assets and vulnerabilities prioritized?
Practice 2 also prods agencies to evaluate their team operations concerning vulnerability management. This looks at how the process of vulnerability management itself is documented and communicated in a department or agency. For instance, if the last time your vulnerability management procedures were updated was before March 2020’s rapid shift to remote work, it may be time to review them to ensure they are keeping up with your BYOD policy.
A great way to evaluate your current processes is to look at their effectiveness. While it’s hard to determine the exact causal relationship between good processes and not being breached, one metric to track over time to evaluate your vulnerability management processes is the number of vulnerabilities left unpatched.
The goal of Practice 3 is to ensure that vulnerability scanners are used in accordance with best practices. This practice builds on the previous two. It relies on accurate, up-to-date asset, software, and vulnerability data, to power a vulnerability scanning tool. It also encourages agencies to evaluate how vulnerability scanners fit into their current VUL operations.
A great metric to help agencies ensure their vulnerability scanners are effective is to look at their coverage. CISA recommends considering this question and the frequency of your schedule vulnerability scans to help agencies improve this practice. Scans performed at the right intervals, with the right coverage, deliver the input to your vulnerability management plan (Practice 2). Your plan should outline a repeatable process for putting the results of your scans into action to make your agency more secure.
Cybersecurity asset management platforms, like Axonius, help agencies improve their vulnerability management practices. Axonius connects to hundreds of IT and security tools to correlate data about hardware and software assets, users, and vulnerabilities. Agencies use Axonius to:
What’s more, Axonius is a DHS CDM-approved vendor for asset management.
Book a demo to see the Axonius platform for yourself.
41 Madison Avenue, 37th Floor
New York, NY 10010