There are many practical considerations that can be leveraged when implementing a National Institute of Standards and Technology (NIST) Continuous Diagnostics and Mitigation (CDM) Program. In this article, we'll identify a few practices to support your implementation of a CDM Program, with the hope that the information provided can be used to assist an organization with aligning CDM into the current information security program or meet requirements of another cybersecurity management structure such as the NIST Cybersecurity Framework (CSF).

CDM is a dynamic approach to fortifying the cybersecurity of networks and systems. By using CDM, organizations can arm themselves with the additional security capabilities and tools needed to establish a proactive and ongoing prioritization of risks based on potential impacts to valuable assets and the likelihood of a risk occurring. By having a CDM program in place, security personnel will be better prepared to mitigate and prioritize problems with the highest impact and those most likely to occur. 

The NIST CDM Program consists of three phases and is designed to cover continuous diagnostic security capabilities:

  1. Endpoint Integrity – focuses on control areas related to the management of hardware and software assets, configuration management, and vulnerability management. These can also be looked at as the basic foundations of any robust information (cyber) security program built to protect systems and data, by addressing hardware and software, as well as configuration settings and vulnerability management. 
  2. Least Privilege and Infrastructure Integrity – brings together some of the "trust"-related controls of the phrase "Trust but Verify" by considering the requirements of access and authentication, identifying users and privileges for who can do what, and the idea that these need to be managed on an independent, continuous, and proactive basis. This phase also introduces the first parts of the verify process by considering "Behavior Management" as it relates to security. 
  3. Boundary Protection and Event Management – provides for the management of the entire Security Lifecycle and furthers the idea of "verify" with controls related to monitoring. This phase consists of the security areas including planning for, and responding to events, generic audit/monitoring, documenting requirements and policies, as well as risk management and boundary protection.

When implementing continuous monitoring, organizations may need to increase the amount of data captured, automate collection of events across numerous systems—essentially centralizing the collection, and in the end hopefully make organizations better-equipped to prioritize risk alerts. And once the CDM Program is implemented across the organization, there will be a comprehensive and continuous security infrastructure in place. 

There is much to consider when determining whether a CDM Program is right for your institution, and this article merely scratches the surface. 

This article was a consolidation from a soon-to-be-published chapter in the International Guide to Cybersecurity, 2nd edition published by the American Bar Association. For further information, as well as links to additional helpful resources, please contact FIPCO Director - InfoSec and Audit Services Ken Shaurette at 800-722-3498, ext. 251.

Shaurette is FIPCO director - InfoSec and Audit Services.