Continuous Monitoring and Risk Scoring (CMRS) is a web based system that visualizes the cybersecurity risk of the Department of Defense (DoD) based on published asset inventory and compliance data.
The risk state of the DoD Enterprise security controls for software inventory, antivirus configuration, Security Technical Implementation Guide (STIG), and Information Assurance Vulnerability Management (IAVM) vulnerability and patch compliance are measured and reported.
CMRS supports the risk-management approach to cybersecurity oversight by quantitatively displaying an organization’s security posture through the use of risk dashboards. Using the risk dashboards, users can gather actionable direction, implement prioritized mitigation decisions, and ensure effectiveness of security controls in order to support their cybersecurity risk management duties.
VALUE TO OUR MISSION PARTNERS
CMRS displays risk dashboards based on published HBSS and ACAS data so that users can see the cybersecurity risk to the DoD and its sub-components (CC/S/A/FAs).
CMRS leverages the use of automated data feeds. Currently, there is a risk dashboard generated based on published Host Based Security System (HBSS) data as well as reports based on published Assured Compliance Assessment Solution (ACAS) data.
ACAS version 6.2.2 or later is required for publishing to CMRS.
The following HBSS baseline of products and modules are required to be installed and configured for CMRS.
- (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6 or later
- Asset Configuration Compliance Module (ACCM) – version 2 220.127.116.119 or later
- McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1 or later
- McAfee Host Intrusion Prevention (HIPS) – version 7.0 or later
- McAfee Management Agent (MA) – version 4.5or later
- McAfee Policy Auditor Agent (PA) – version 6.0.1 or laterAntivirus (AV) - McAfee or Symantec –McAfee Virus Scan Enterprise 10.2 or later, Symantec Endpoint Protection 12 or later
- Operational Attribute Module (OAM) – version 18.104.22.168 or later
- Asset Publishing Service (APS) – version 2.0.3 or later – configured to publish to CMRS