Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CDM 2020: “Operationalizing CDM” Through Risk-Based Vulnerability Management

The year 2020 is shaping up to be a pivotal one for the U.S. Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program as it takes significant steps toward realizing the program vision of empowering federal agencies to make informed cybersecurity risk decisions and fix their worst problems first. 

The CDM program, administered by the U.S. Department of Homeland Security (DHS), delivers cybersecurity tools and services to all federal agencies. The year ahead represents a tipping point for this critical program in many ways. One of those ways, as described by CDM program manager Kevin Cox recently, is the ability to deliver actionable cybersecurity information through the CDM dashboard ecosystem, or what he characterizes as “operationalizing” CDM. 

Cox refers to FY2020 as a “readiness year,” in which federal agencies will become familiar with the concept of scoring their cyber risk and begin to evaluate their performance against a federal average. The CDM FY2020 to-do list includes establishing a federal baseline for AWARE algorithm scores for participating agencies and providing guidance to agencies on ways to improve boost AWARE scores by enhancing software patching practices and other measures. Each federal agency sees its own AWARE score and a federal average score. The CDM Program Office also sees the data and offers feedback to agencies on how to improve scores. 

So, what goes into an AWARE score anyway? While refinements are anticipated, AWARE 1.0 currently provides a raw risk score, which gives an agency a rough idea of its overall cyber risk. At a high level, according to the Cybersecurity and Infrastructure Security Agency (CISA), AWARE categorizes vulnerabilities in three ways:

  • Software Vulnerability (VUL) – Individual CVEs (Common Vulnerabilities and Exposures) identified on network endpoints by vulnerability scanners
  • Configuration Settings Management (CSM) – Vulnerabilities that fail a CSM check are scored by assigning a risk value within the Common Vulnerability Scoring System (CVSS) scale based on severity
  • Unauthorized Hardware (UAH) – Hardware devices not assigned to a Federal Information Security Modernization Act (FISMA) container

AWARE then assigns scores for the above three categories of vulnerability based on four metrics:

  • Base – The base CVSS (Common Vulnerability Scoring System) value, scaled to prioritize the worst problems first
  • Age – Age measured from the CVE publication date, with impact increasing over time
  • Weight – Weight incorporating threat intelligence and other inputs
  • Allowable Tolerance – A “grace period” between the score appearing on the agency’s dashboard and the federal dashboard that enables the agency to patch before a vulnerability impacts its Federal AWARE score

The vision for AWARE is to become an essential tool for federal agencies to make informed risk decisions and fix their worst problems first. At Tenable, we call this risk-based vulnerability management, and we have designed our Risk-Based Vulnerability Management Solution to deliver the type of actionable information that DHS is hoping to achieve with AWARE. Every federal agency that receives AWARE data about vulnerability priorities can also receive Tenable risk-based vulnerability prioritization data through its Tenable.sc platform. Leveraging this investment can deliver a substantial head start in understanding how to fix the vulnerabilities that pose the most risk first, resulting in superior AWARE scores as well as a more secure environment. 

The Tenable Risk-Based Vulnerability Management Solution, like AWARE, includes CVSS data as a factor in its scoring. Recognizing the shortcomings of CVSS as a guide to vulnerability prioritization, however, the Tenable Risk-Based Vulnerability Management Solution goes far beyond CVSS to deliver a complete view that enables informed risk-based decision-making. The solution uses machine learning analytics to correlate vulnerability severity, threat actor activity and asset criticality to predict and manage issues posing the greatest risk. 

Effective risk-based vulnerability prioritization must identify the few vulnerabilities with the highest likelihood of being exploited and include asset criticality. Tenable automates this by using data science and machine learning models to analyze more than 150 factors and output two risk-based metrics: the Vulnerability Priority Rating (VPR) and the Cyber Exposure Score. The VPR combines multiple vulnerability severity and threat intelligence factors to determine the likelihood of a vulnerability being exploited. The Cyber Exposure Score takes this further and automatically calculates asset criticality to represent the impact and combines the asset criticality rating with the VPR to determine each vulnerability’s risk to the agency.

Perhaps most importantly, Tenable does not limit Cyber Exposure Score information to the enterprise or agency level. Organizations can configure the Tenable Risk-Based Vulnerability Management Solution to deliver actionable Cyber Exposure Score data at any desired organizational level, enabling an extremely granular view of the security posture within the agency, and helping agency decision-makers apply limited resources where they are most needed. This achieves the vision that Kevin Cox has expressed for AWARE to “get it down to the business system level.”

To learn more about risk-based vulnerability management, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management

For insights into how to go beyond CVSS to enable informed risk-based prioritization decisions, read the ebook, Focus on the Vulnerabilities That Pose the Greatest Risk.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.