Comply 2 Connect (C2C) – A Solution to Quell the Rogues in Our Midst

Have you ever taken a personal device to work and connected it to the work network? Maybe you connected to the Wi-Fi with a mobile device. Perhaps you brought in a personal laptop and plugged into an open port to connect to the internet. These may seem like harmless activities, and some companies even allow non-corporate devices on their guest network as a way to enable visitors to operate in their environment. In shared office environments, open networks are seen as business enablers. However, this communal networking approach is a security nightmare.

It is easy to shrug off any concern, citing network segmentation and other technologies to protect the corporate systems from visitor traffic, but as described in the past, achieving network segmentation is a separate challenge, and something as simple as a device misconfiguration can introduce security gaps. 

When analyzed from a risk perspective, the chances of a security gap for a small organization is equally as likely as it is for a large organization. A small company has a high risk because it lacks the staff required to achieve the appropriate level of security. A large organization may have adequate staffing, but the sprawl of such a large footprint can easily lead to overlooked areas.

What Is Comply-to-Connect (C2C)?

Now, one of the largest organizations in the world has taken steps to “combat” the problem of rogue devices on the network. The United States Department of Defense (DoD), which has a roster of nearly three million members, has implemented the “Comply-to-Connect (C2C)” program. 

According to the Defense Information Systems Agency (DISA) fact sheet, the purpose of the program is to “establish a framework of tools and technologies operating throughout the network infrastructure that discover, identify, characterize, and report on all devices connecting to the network.” 

Take note of the last four words of that statement. The program is not going to discover objects that are connected to the network. Rather, C2C is, by design, built to actively detect devices in the process of connecting. This is important because most organizations can only conduct periodic scans for new network devices after they are connected. This means that in most organizations, an infected or worse a malicious machine can stay connected, undetected, during periods when no scanning is taking place. The C2C program is part of the full DoD Zero Trust Model.

Not only will the C2C program actively detect, but it will block connections unless they comply with DoD requirements. An example of the phased approach to connecting includes the following steps:

• Host-Based Security System (HBSS) Agent Health Check – Are they installed/running? If not, auto-remediate.
• Assured Compliance Assessment Solution (ACAS) Scan Check – Completed as part of routine scans? If not, trigger scan.
• ACAS Scan Results Check – Are there high-priority outstanding vulnerabilities that have not been remediated? If so, auto-trigger notification/remediation.
• Software and Patch Compliance Check – Are patches up to date? If not, trigger agent check-in.
• External Device Check – Are any unauthorized external devices plugged into the device? If so, disable device.
• Security Technical Implementation Guide / Security Content Automation Protocol (STIG/SCAP) Compliance Check – Is device properly configured against DISA STIGs?
• Operational Technology / Platform Information Technology / Internet of Things OT/PIT/IoT
• Network Behavior Check – Are there any anomalous protocols or communication requests?

The external device check phase should raise special interest, as it shows the depth of information that is gathered during the connection phase. Not only does C2C check the core device that is attempting a connection, but it is also set to see if any external devices are connected to that device. 

C2C is scheduled to be in full effect on the DoD’s Non-classified Internet Protocol (IP) Router Network (NIPRNet) by June 2023 and on the Secret Internet Protocol Router Network (SIPRNet) by March 2024. Given the complexity and the breadth of the DoD systems, this is an aggressive timetable. 

The C2C initiative, coupled with the Cybersecurity Maturity Model Certification (CMMC) requirements, are bold measures to improve cybersecurity on a grand scale. If successful, these can serve as models for other organizations to improve their cybersecurity.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.