CISA Directs Federal Agencies to Boost System Visibility
The Cybersecurity and Infrastructure Security Agency (CISA) this week issued Binding Operational Directive (BOD) 23-01 to improve vulnerability detection and identify weaknesses in federal civilian agencies’ systems and networks. Dubbed “Improving Asset Visibility and Vulnerability Detection on Federal Networks,” the directive requires federal civilian agencies to improve their awareness of their networked assets to improve their cybersecurity posture.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected or under-protected assets,” said Jen Easterly, director at the CISA, in a statement about the BOD.
By April 3, 2023, the directive said agencies under its purview must perform automated asset discovery on their systems every seven days. Once assets are identified, the agency must create an accounting of vulnerabilities, including those affecting mobile devices. While larger agencies may not be able to complete a vulnerability assessment within 14 days, CISA said it expects those agencies to perform rolling assessments.
Vulnerability information must be placed within the CDM agency dashboard within 72 hours; develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within seven days of request.
“Knowing what’s on your network is the first step for any organization to reduce risk. While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyberresilient nation,” CISA said in a statement about the directive.
“It strikes a good balance,” said Chris Wysopal, founder and CTO at Veracode. “Things that aren’t automated don’t get done consistently. No more, ‘Joe, did you remember to kick off the scan this month?’ ‘No, I was busy writing up the last incident report.'”
“It also recognizes that some things may take more than the start cadence to finish,” Wysopal added, especially since slow links and legacy systems could slow the remediation process. “I like that [the directive] centralizes the vulnerability data. Then, when CISA drops a new known exploited vulnerabilities list to be patched by a certain date, they can see right away where the gaps are and work with departments to improve,” he said.
Michael Farnum, CTO at Set Solutions, wasn’t as upbeat. “I think it is going to run into the same issue as all these projects. They’re focused on vulnerability management as the be-all and end-all for asset management, and there are going to be significant gaps in the visibility of assets. Without guidance about how the agencies identify all their assets, organizations are going to default to certain tool sets,” he said.
Most organizations do have multiple sources they must tap to get an accurate list of assets. “You’ve got to have something that rolls it all up and de-duplicates findings so that you have a much better look at your true asset inventory,” Farnum said.
That said, overall, the BOD is a step in the right direction, and it’s a good place to start.
“They’re looking to get whatever handle they can on cybersecurity risk measurement,” said Scott Crawford, information security research head at 451 Research. “It sounds like good news for attack surface management and more modern asset inventory technology providers,” he said.