What are CDM and CRED?
The Continuous Diagnostics and Mitigation (CDM) Task Order for CREDMGMT provides guidance and tools to federal civilian agencies to fulfill the Manage Credentials and Authentication (CRED) Function. This functional area is designed to prevent
- the binding of credentials
- the use of credentials by anyone other than the rightful owner (person or service).
The approved tools provide careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights.
The CRED capability ensures that account credentials are assigned to, and used by, authorized people or services. This solution relies on the results of the managed account access capability to ensure that only trusted people receive credentials, and in order to accomplish this requirement the CREDMGMT task, the order requires the use of a master user record (MUR). Because of its universal use at agencies for access to Windows OS-based services, databases & applications and Microsoft Active Directory (MS AD) will serve as the MUR.
Using the CREDMGMT toolsets allows agencies to achieve the goals set forth in this CDM functional areas and many other requirements like those in NIST 800-53 for least access, OMB HSPD-12, and MFA everywhere.
Why is CDM Important?
CDM and these other federal programs are valuable because they address the number one source of all data breaches -- compromised credentials. Compromised credentials are the path of least resistance because every user in an agency has extensive access to many digital resources. Once an IT associate or a non-IT agency user’s identity is compromised, any cyber criminal worth their salt is able to gain access to the network and move horizontally & vertically through agency resources.
To fulfill the universal use of the MUR for all users and services, non-Windows servers, databases, and applications need to be connected to the MUR. If these assets are left to be controlled only by a password vault for “privileged users”, 90-95% of the agencies associates will continue to use additional user IDs and passwords. This defeats the whole purpose of CDM and CREDMGMT task order and increases the risk of compromised identities.
Delinea’s Identity Platform connects all non-Windows servers, databases, and applications to the MUR. This extends access controls for all associates of an agency to all technologies on the network by using their PIV cards and limiting the risk of compromised identities.
Delinea is part of the CDM CREDMGMT task order award, which means that agencies can acquire Delinea software for both desktops & other non-Windows assets such as Unix, Linux servers, and databases & applications. Delinea software will extend the capabilities of the MUR seamlessly and currently supports Active Directory integration and authorization controls for more than 450 operating systems. Delinea software is FIPS and Common Criteria certified.