The Continuous Diagnostics and Mitigation (CDM) Task Order for CREDMGMT provides guidance and tools to federal civilian agencies to fulfill the Manage Credentials and Authentication (CRED) Function. This functional area is designed to prevent
- the binding of credentials
- the use of credentials by anyone other than the rightful owner (person or service).
The approved tools provide careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights.
The CRED capability ensures that account credentials are assigned to, and used by, authorized people or services. This solution relies on the results of the manage account access capability to ensure that only trusted people receive credentials, and in order accomplish this requirement the CREDMGMT task order requires the use of a master user record (MUR). Because of its universal use at agencies for access to Windows OS-based services, databases & applications and Microsoft Active Directory (MS AD) will serve as the MUR.
Using the CREDMGMT toolsets allows agencies to achieve the goals set forth in this CDM functional areas and many other requirements like those in NIST 800-53 for least access, OMB HSPD-12 and MFA everywhere.
Why is CDM Important?
CDM and these other federal programs are valuable because they address the number one source of all data breaches -- compromised credentials. Compromised credentials are the path of least resistance because every user in an agency has extensive access to many digital resources. Once an IT associate or a non-IT agency user’s identity is compromised, any hacker worth their salt is able to gain access to the network and move horizontally & vertically through agency resources.
To fulfill the universal use of the MUR for all users and services, non-Windows servers, databases and applications need to be connected to the MUR. If these assets are left to be controlled only by a password vault for “privileged users”, 90-95% of the agencies associates will continue to use additional user IDs and passwords. This defeats the whole purpose of CDM and CREDMGMT task order and increases the risk of compromised identities.
Centrify’s Identity Platform connects all non-Windows servers, databases and applications to the MUR. This extends access controls for all associates of an agency to all technologies on the network by using their PIV card and limiting the risk of compromised identities.
Centrify is part of the CDM CREDMGMT task order award, which means that agencies can acquire Centrify software for both desktops & other non-Windows assets such as UNIX, Linux servers and databases & applications. Centrify software will extend the capabilities of the MUR seamlessly and currently supports active directory integration and authorization controls for more than 450 operating systems. Centrify software is FIPS and Common Criteria certified.
Learn more about how Centrify delivers data center, cloud and mobile solutions for the federal market here.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.