The Continuous Diagnostics and Mitigation (CDM) program is designed to assess and mitigate cyber security threats across U.S. Federal civilian agencies. The program consists of four phases that address what is on the network (phase 1), who is on the network (phase 2), what is happening on the network (phase 3), and how is data protected (phase 4).
With phases 1 and 2 complete, civilian agencies now have identified the assets and users on their networks, attached continuous monitoring sensors to said assets, and aligned users’ privileges and credentials to appropriate resources. Phase 3 builds upon its predecessors and contains requirements focusing on how the network is protected. In particular, the Boundary Protection and Event Management (BOUND) tool functional area (TFA) is intended to diminish inappropriate access to data, systems and networks. The requirements contain three components: BOUND-F (filtering technology), BOUND-E (encryption), and BOUND-P (physical access protection). The BOUND requirements detail the most effective methods to protect sensitive data-at-rest and in-motion via encryption and key management.
With phases 1 and 2 complete, civilian agencies now have identified the assets and users on their networks, attached continuous monitoring sensors to said assets, and aligned users’ privileges and credentials to appropriate resources. Phase 3 built upon its predecessors and contains requirements focusing on how the network is protected. In particular, the Boundary Protection and Event Management (BOUND) tool functional area (TFA) is intended to diminish inappropriate access to data, systems and networks. The requirements contain three components: BOUND-F (filtering technology), BOUND-E (encryption), and BOUND-P (physical access protection). The BOUND requirements detail the most effective methods to protect sensitive data-at-rest and in-motion via encryption and key management. Phase 3 also addresses what is happening on the network and details event management requirements, and operate, monitor and improve requirements. This includes preparedness and response to contingencies and incidents (TFA 10 and 11) as well as the management of audit information (TFA 14).
Phase 4, focuses on data protection—the most critical component of an effective cyber security strategy. This phase introduces several capabilities that protect sensitive data “at rest, in use, and in transit, to ensure the confidentiality, integrity, and availability of data assets, and to ensure that sensitive information is subject to authorized access and use only”. It establishes protocols to identify and classify sensitive data and the location in which it resides as well as its associated data flows. Furthermore, phase 4 outlines data access controls to identify authorized users, roles, and uses.
Phase 4 Data Protection (DATA_PROT) requirements focus on applying protection to the data itself through encryption, access control and logging/monitoring. These encryption and key management requirements, many established under BOUND-E, include application encryption, file encryption, storage container encryption, and full disk encryption.
Thales Trusted Cyber Technologies (TCT) offers encryption and key management solutions that deliver the same level of security whether deployed in enterprise, tactical or cloud environments. Our solutions enable agencies to meet their CDM requirements while investing in a solution that provides robust security, a growing ecosystem, and the scalability needed to build a trusted framework for the future. Our solutions have a U.S. supply chain and can be deployed in any environment and easily integrate into an existing cyber security infrastructure. Thales TCT’s encryption and key management solutions have received CDM Approved Product List (CDM APL) approval to address phase 3 and phase 4 requirements.
For a full list of the phase 3 and 4 requirements that Thales TCT addresses, download our CDM solution brief.
Data Encryption and Key Management
Thales TCT’s CipherTrust Data Security Platform offers comprehensive solutions that help government agencies address these requirements. With the CipherTrust Data Security Platform, agencies can establish strong safeguards around sensitive data and minimize critical risks associated with leaving it in an unprotected state. Thales TCT’s solutions offer the controls required to ensure only authorized users can gain access to sensitive data at rest. These solutions can secure unstructured data, including documents, spreadsheets, images, web pages and more. These solutions can also secure structured data, such as fields in databases and applications that contain personally identifiable information, protected health information, mission data and other sensitive records.
With CipherTrust Data Security Platform, agencies can take a comprehensive, organization-wide approach to protecting data in support of CDM. This platform offers a number of capabilities that either comply with or exceed CDM requirements:
Network Encryption Solutions
Thales TCT’s High Speed Encryption solutions provide agencies with a single platform to ‘encrypt everywhere’— from network traffic between data centers and the headquarters to backup and disaster recovery sites, whether on premises or in the cloud. These solutions offer powerful safeguards for data in motion, delivering network layer independent encryption capabilities that provide security without compromise, as well as maximum throughput and minimal latency.
Thales TCT Solutions for Continuous Diagnostics and Mitigation
CDM overview mapping Thales TCT solutions to specific CDM requirements
Continuous Diagnostics and Mitigation: Data Protection & Assurance
Acknowledging that cyber security is a monumental task, CDM has taken a structured approach by defining four phases that enable agencies to fold in different aspects of cyber security over time. The program begins with dashboards at both the federal and the agency/department level. The program then deploys sensors throughout the network infrastructure that address different strategic questions associated with network security.
Video: A Data-Centric Approach to Security that Addresses CDM Compliance
Thales TCT's CTO, Brent Hansen, shares his insight into taking a data-centric approach to security to enhance an agency's overall security posture and address CDM compliance requirements in his presentation at FCW's CDM Summit.
Blog Post: A Data-Centric Approach to DEFEND
Thales TCT's CTO, Brent Hansen, shares his insight on addressing CDM DEFEND complexity through a decision tree approach to security.