The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that sets baseline requirements for Federal civilian agencies to identify assets and vulnerabilities on their networks, and to provide data to CISA on those assets and on vulnerability detection.
CISA explained today that compliance with the order – which is mandatory for civilian agencies – is a fundamental step to moving Federal agencies to a better cybersecurity footing. The order does not apply to Defense Department and intelligence agencies.
Lining up with Cyber EO, CDM Goals
CISA said the directive aims to further the goals of President Biden’s Cybersecurity Executive Order issued in May 2021, particularly by improving vulnerability detection. It also seeks to provide operational clarity to related OMB memos.
The aims of the directive also appear to fall broadly in line with overarching goals of the agency’s Continuous Diagnostics and Mitigation (CDM) Program. That program has been working for several years to lead agencies to through the process of network asset discovery, installing endpoint detection and response capabilities, and reporting related data to CISA through the CDM dashboard.
“Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk,” CISA said today. “Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.”
“The purpose of this Binding Operational Directive is to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities,” CISA said. “While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level.”
CISA defined asset discovery as inventorying network-addressable IP-assets on agency networks along with associated IP addresses. It said that discovery process is “non-intrusive and usually does not require special logical access privileges.”
Identifying vulnerabilities of network assets, CISA said, involves detecting “host attributes (e.g., operating systems, applications, open ports, etc.), and attempts to identify outdated software versions, missing updates, and misconfigurations. It validates compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities.”
“Understanding an asset’s vulnerability posture is dependent on having appropriate privileges, which can be achieved through credentialed network-based scans or a client installed on the host endpoint,” the agency said.
Agency Goals
CISA said the goal of the directive is for agencies to achieve the following outcomes:
- “Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
- Identify software vulnerabilities, using privileged or client-based means where technically feasible;
- Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
- Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.”
The agency said it was not ordering agencies to undertake any specific method to get to those goals, but said it is ready to help with the process.
“Agencies may request CISA’s assistance in conducting an engineering survey to baseline current asset management capabilities,” the agency said, adding it “will work with requesting agencies to provide technical and program assistance to resolve gaps, optimize scanning, and support achieving the required actions in this Directive.”
Looming Agency Milestones
Federal agencies have until April 2023 to meet several key milestones:
- Perform automated asset discovery every seven days;
- Conduct vulnerability enumeration across all discovered assets, including laptops, every 14 days;
- Provide vulnerability enumeration results into the CDM agency dashboard within 72 hours of discovery;
- Create the ability to perform on-demand asset discovery and vulnerability enumeration within 72 hours of receiving a CISA request; and
- Within six months of CISA publishing requirements, report vulnerability enumeration performance data to the CDM dashboard.
CISA said that by April 3, 2023, it will deploy an updated CDM dashboard configuration “that enables access to object-level vulnerability enumeration data for CISA analysts,” as directed by the White House cybersecurity executive order.
Agencies will be required to make reports at six, 12, and 18 month intervals to CISA on their progress in meeting the goals of the directive.
CISA Comment
“Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices,” the agency said in announcing the directive.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” commented CISA Director Jen Easterly.
“Knowing what’s on your network is the first step for any organization to reduce risk,” she said. “While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”