Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CDM 2020: “Operationalizing CDM” Through Risk-Based Vulnerability Management

The year 2020 is shaping up to be a pivotal one for the U.S. Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program as it takes significant steps toward realizing the program vision of empowering federal agencies to make informed cybersecurity risk decisions and fix their worst problems first. 

The CDM program, administered by the U.S. Department of Homeland Security (DHS), delivers cybersecurity tools and services to all federal agencies. The year ahead represents a tipping point for this critical program in many ways. One of those ways, as described by CDM program manager Kevin Cox recently, is the ability to deliver actionable cybersecurity information through the CDM dashboard ecosystem, or what he characterizes as “operationalizing” CDM. 

Cox refers to FY2020 as a “readiness year,” in which federal agencies will become familiar with the concept of scoring their cyber risk and begin to evaluate their performance against a federal average. The CDM FY2020 to-do list includes establishing a federal baseline for AWARE algorithm scores for participating agencies and providing guidance to agencies on ways to improve boost AWARE scores by enhancing software patching practices and other measures. Each federal agency sees its own AWARE score and a federal average score. The CDM Program Office also sees the data and offers feedback to agencies on how to improve scores. 

So, what goes into an AWARE score anyway? While refinements are anticipated, AWARE 1.0 currently provides a raw risk score, which gives an agency a rough idea of its overall cyber risk. At a high level, according to the Cybersecurity and Infrastructure Security Agency (CISA), AWARE categorizes vulnerabilities in three ways:

  • Software Vulnerability (VUL) – Individual CVEs (Common Vulnerabilities and Exposures) identified on network endpoints by vulnerability scanners
  • Configuration Settings Management (CSM) – Vulnerabilities that fail a CSM check are scored by assigning a risk value within the Common Vulnerability Scoring System (CVSS) scale based on severity
  • Unauthorized Hardware (UAH) – Hardware devices not assigned to a Federal Information Security Modernization Act (FISMA) container

AWARE then assigns scores for the above three categories of vulnerability based on four metrics:

  • Base – The base CVSS (Common Vulnerability Scoring System) value, scaled to prioritize the worst problems first
  • Age – Age measured from the CVE publication date, with impact increasing over time
  • Weight – Weight incorporating threat intelligence and other inputs
  • Allowable Tolerance – A “grace period” between the score appearing on the agency’s dashboard and the federal dashboard that enables the agency to patch before a vulnerability impacts its Federal AWARE score

The vision for AWARE is to become an essential tool for federal agencies to make informed risk decisions and fix their worst problems first. At Tenable, we call this risk-based vulnerability management, and we have designed our Risk-Based Vulnerability Management Solution to deliver the type of actionable information that DHS is hoping to achieve with AWARE. Every federal agency that receives AWARE data about vulnerability priorities can also receive Tenable risk-based vulnerability prioritization data through its Tenable.sc platform. Leveraging this investment can deliver a substantial head start in understanding how to fix the vulnerabilities that pose the most risk first, resulting in superior AWARE scores as well as a more secure environment. 

The Tenable Risk-Based Vulnerability Management Solution, like AWARE, includes CVSS data as a factor in its scoring. Recognizing the shortcomings of CVSS as a guide to vulnerability prioritization, however, the Tenable Risk-Based Vulnerability Management Solution goes far beyond CVSS to deliver a complete view that enables informed risk-based decision-making. The solution uses machine learning analytics to correlate vulnerability severity, threat actor activity and asset criticality to predict and manage issues posing the greatest risk. 

Effective risk-based vulnerability prioritization must identify the few vulnerabilities with the highest likelihood of being exploited and include asset criticality. Tenable automates this by using data science and machine learning models to analyze more than 150 factors and output two risk-based metrics: the Vulnerability Priority Rating (VPR) and the Cyber Exposure Score. The VPR combines multiple vulnerability severity and threat intelligence factors to determine the likelihood of a vulnerability being exploited. The Cyber Exposure Score takes this further and automatically calculates asset criticality to represent the impact and combines the asset criticality rating with the VPR to determine each vulnerability’s risk to the agency.

Perhaps most importantly, Tenable does not limit Cyber Exposure Score information to the enterprise or agency level. Organizations can configure the Tenable Risk-Based Vulnerability Management Solution to deliver actionable Cyber Exposure Score data at any desired organizational level, enabling an extremely granular view of the security posture within the agency, and helping agency decision-makers apply limited resources where they are most needed. This achieves the vision that Kevin Cox has expressed for AWARE to “get it down to the business system level.”

To learn more about risk-based vulnerability management, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management

For insights into how to go beyond CVSS to enable informed risk-based prioritization decisions, read the ebook, Focus on the Vulnerabilities That Pose the Greatest Risk.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training