The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive to improve asset visibility and vulnerability detection on federal networks. Federal agencies are required to comply with these directives, which excludes the Department of Defense, but does include federal civilian executive branch systems.
The directive arrives as there is a growing concern with insider threats, nation-state hacker group cyberattacks, and a push for zero-trust security. Continuous and comprehensive asset visibility ensures, at least in principle, that the network is continuously monitored for device hygiene, software installations, running processes, and rogue devices. This enables federal IT teams to have a clear picture of what software, devices, and users are on their network at any given time, and build a continuously-updated database of network hygiene.
CISA describes asset discovery as “the building block of operational visibility”, in which all “network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts).” Asset discovery is usually non-intrusive and can be performed passively through procedures such as SPAN or TAP port monitoring, synchronizing with Active Directory, or using service credentials.
Vulnerability enumeration is another key requirement of this directive. Any suspected vulnerabilities on the discovered assets are categorized by severity and reported to the appropriate teams for remediation. Detected vulnerabilities could be open ports, outdated software versions, missing critical patches, or misconfigurations.
This directive builds upon the Continuous Diagnostics and Mitigation (CDM) implementations across the United States public sector, which is a complimentary directive for visibility, reporting, and cyber hygiene.
CISA states that the organizations affected by this directive will be responsible for the following outcomes:
- Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
- Identify software vulnerabilities, using privileged or client-based means where technically feasible;
- Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
- Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.
By April 3, 2023, affected organizations will need to comply with this directive and perform actions such as an automated asset discovery every 7 days. All network reporting will be rolled into the CISA CDM Federal Dashboard.
CISA Director Jen Easterly has stressed that these actions are necessary to prevent vulnerabilities from being exploited by hackers. “Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses with unknown, unprotected, or under-protected assets. Knowing what’s on your network is the first step for any organization to reduce risk.”
