Under a newly released U.S. government Binding Operational Directive (BOD), federal agencies have until April to set up measurable processes needed to perform automated asset discovery and vulnerability detection at regular intervals.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)'s most recent BOD is an effort to gain better visibility into the systems - and the potential security holes - across the government’s infrastructure, said CISA director Jen Easterly. Asset discovery processes enable organizations to identify the network-addressable IP assets residing on their networks and the associated IP addresses, or hosts. This then gives them better capabilities to report the attributes of hosts (such as operating systems, applications or open ports) in order to identify outdated software versions or missing updates.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said Easterly in a Monday statement. “Knowing what’s on your network is the first step for any organization to reduce risk.”
Various measures can be set up to facilitate the discovery of assets and corresponding flaws, including active scanning, passive flow monitoring, the querying of logs or API querying for software defined infrastructure. The network-addressable IP assets addressed in the BOD include any IP or operational technology asset assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, including servers and workstations, virtual machines, routers and switches, firewalls, network appliances and network printers. The inclusion of operational technology here is also key given the U.S. government’s push to better secure critical infrastructure devices and industrial control systems.
The government currently has a Continuous Diagnostics and Mitigation (CDM) program that offers centralized funding for agencies to procure automated tools needed for asset management, including tools for finding hardware devices through passive and active scanning processes, discovering mobile devices through mobile identity management tools and vulnerability management tools. The program also offers dashboards at both the agency level and federal level (for CISA and the Office of Management and Budget) that displays data about discovered devices, users, privileges and flaws.
“Organizations often don’t know what they have across their infrastructure... That lack of a clear perception of their asset topology leaves them vulnerable to all types of risk.”
While the CDM program is leveraged by several agencies, including the Department of Veteran Affairs, Small Business Administration and Department of Health and Human Services, CISA’s new BOD takes the intent here a step further by requiring all federal agencies to take specific steps around asset discovery and vulnerability enumeration by specific dates.
By April 3, for instance, all agencies must set up the appropriate processes to perform an automated asset discovery every seven days, and vulnerability enumeration across all these discovered assets every 14 days. The reporting of this data is also a key component of the directive, as CISA hopes to get a fuller picture of the entirety of the U.S. government's security standing by better measuring the assets and associated flaws across the agencies' infrastructure. Agencies are required to record their vulnerability enumeration in the CDM agency dashboard, and collect and report performance data.
Jonathan Reiber, vice president for Cybersecurity Strategy and Policy at AttackIQ, said the directive is a good requirement for agencies to better understand their assets and represents one of the key building blocks of the Biden administration’s Executive Order strategy from last year.
“In general, I’m very supportive of organizations conducting continuous assessments of the assets they have in their inventory,” he said. “Organizations often don’t know what they have across their infrastructure... That lack of a clear perception of their asset topology leaves them vulnerable to all types of risk.”
As has been the case with other BODs - which are security related requirements for federal and executive branch agencies issued by the government - CISA hopes that this most recent directive will set precedence for private sector entities to follow as well, though it’s not required for them. Under a BOD last year where CISA developed a catalog of known, exploited vulnerabilities that federal agencies must address, for instance, the agency made the catalog public in hopes that private entity firms would apply patches as well.
“While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks,” said Easterly. “We all have a role to play in building a more cyber resilient nation.”