The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD) Monday requiring federal agencies to account for assets and vulnerabilities residing on their networks and allowing CISA to manage cybersecurity in the federal civilian agencies space more effectively.
The BOD comes after CISA received authority from Congress to require cyber incident reporting earlier this year, complements growing efforts to incorporate zero trust principles into federal agencies' cybersecurity strategies and encourages federal agencies to develop stronger data management practices in order to "catch" vulnerabilities before they're exploited.
CISA has been working towards gaining greater visibility into federal agencies' networks for several years now. The recent SolarWinds software supply chain attack highlighted the need for network visibility when the hackers gained access to SolarWinds customers' networks, some of which included agencies such as State Department, the Department of Homeland Security, nuclear research labs and government contractors.
"Threat actors continue to target our nation's critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets," CISA Director Jen Easterly said in a press release. "Knowing what's on your network is the first step for any organization to reduce risk."
The directive will require all agencies to perform automated asset discovery every seven days, with the minimum requirement of this discovery covering the entire IPv4 space used by the agency; list vulnerabilities across all discovered assets, including laptops, every 14 days; initiate vulnerability enumeration results into the Continuous Diagnostics and Mitigation (CDM) agency dashboard within 72 hours of discovery; establish the ability to perform on-demand asset discovery and vulnerability enumeration within 72 hours of receiving a request from CISA; report vulnerability enumeration performance data within six months of CISA publishing the requirements.
"While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level," the directive reads.
Federal agencies will have until April 2023 to implement the required actions. This directive applies to federal civilian agencies and is not pertaining to the Department of Defense and intelligence agencies. While the directive is a mandate for federal agencies only, CISA recommends that state, local, tribal and territorial governments, as well as private businesses, consider implementing asset and vulnerability management programs.
"While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks," Easterly said. "We all have a role to play in building a more cyber resilient nation."