Services Banner

CONTINUOUS MONITORING AND RISK SCORING (CMRS)

PRINT PAGE Add This
Sign up to receive CMRS email updates (restricted to .mil email addresses)

Continuous Monitoring and Risk Scoring (CMRS) is a web based system that visualizes the cybersecurity risk of the Department of Defense (DoD) based on published asset inventory and compliance data.

The risk state of the DoD Enterprise security controls for software inventory and antivirus configuration are measured and reported.  Soon the risk measurements for Security Technical Implementation Guide (STIG) as well as (IAVM) vulnerability and patch compliance will also be included.

CMRS supports the risk-management approach to cybersecurity oversight by quantitatively displaying an organization’s security posture through the use of a risk dashboard.  Using the risk dashboard, users can gather actionable direction, implement prioritized mitigation decisions, and ensure effectiveness of security controls in order to support their cybersecurity risk management duties.

Capabilities

CMRS is currently accessible through a web browser on the SIPRNet with plans to also be hosted on the NIPRNet.

Risk Dashboard

CMRS displays a risk dashboard so that users can see the cybersecurity risk to the DoD and its sub-components (CC/S/A/FAs) based on the host data published from HBSS. 

Prerequisites

CMRS leverages the use of automated data feeds.  Currently, the risk dashboard is generated based on published Host Based Security System (HBSS) data ingested by CMRS.
The following HBSS baseline of products and modules are required to be installed and configured for CMRS.

  • (McAfee) ePolicy Orchestrator (ePO) – version 4.5.6, but 4.6.6 is preferred
  • Asset Configuration Compliance Module (ACCM) – version 2, but 2.0.0.1129 is preferred
  • McAfee Data Loss Prevention / Device Control Module (DCM) – version 9.1, but 9.2 Patch 1 is preferred
  • McAfee Host Intrusion Prevention (HIPS) – version 7.x, but 8.0 Patch 2 is preferred
  • McAfee Management Agent (MA) – version 4.5, but 4.6 is preferred
  • McAfee Policy Auditor Agent (PA) – version 5.3, but 6.0.1 is preferred
  • Antivirus (AV) - McAfee or Symantec – McAfee Symantec Antivirus 10.1.9, McAfee Virus Scan Enterprise 10.2, Symantec Endpoint Protection 12, Symantec Antivirus 10.1, Symantec Antivirus 10.2, Symantec Norton Antivirus 7500 9
  • Operational Attribute Module (OAM) – version 2.0.1, but 2.0.5.1 is preferred
  • Asset Publishing Service (APS) – version 2.0.1 or 2.0.0.6, but 2.0.3 is preferred – configured to publish to CMRS