CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumeration

A new directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks.

About the Directive

“Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices,” the agency explained the impetus for the Binding Operational Directive 23-01.

“While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level.”

The Directive does tells the agencies that, six months from now (i.e., by April 3, 2023,) they must:

• Perform automated asset discovery every 7 days (the discovery must cover the entire IPv4 space used by the agency)
• Initiate vulnerability enumeration across all discovered assets, including “roaming” devices, every 14 days
• Start automated ingestion of detected vulnerabilities into CISA’s Continuous Diagnostics and Mitigation (CDM) Dashboard within 72 hours
• Develop and maintain the capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities, when requested to do so by CISA.

A step in the right direction

While the Directive requires the agencies to achieve these goals, it does not tell them how to go about it.

“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies’ existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility,” CISA added.

“Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation.”

CISA Director Jen Easterly also added that, while this Directive applies to federal civilian agencies, all organizations should think about building their own asset discovery and vulnerability enumeration capabilities (if they haven’t already). “We all have a role to play in building a more cyber resilient nation,” she noted.

UPDATE (October 6, 2022, 06:45 a.m. ET):

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says that the directive is crucial for two reasons.

“First, if network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality. Second, vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment,” she commented.

“The highly anticipated CISA cross-sector cyber performance goals (CPGs) are another step in the right direction, to help owners and operators of critical infrastructure prioritize and implement the NIST cyber security framework. It will also provide a benchmark or starting point for industry to self-evaluate their own cybersecurity practices and program maturity, prioritizing based on technology scope, costs, impact, and complexity.”

Ron Brash, VP Technical Research & Integrations at aDolus, says that the number one resource civilian agencies will need to be able to comply with the CISA directive is a solid deployment plan and enough staff or contractors to enact that plan.

“Assuming that is in place (a big assumption), the agencies will need to purchase and deploy the tools that can perform regular automated asset discovery scans and interpret the results from these scans. The initial effort to do this is never trivial, as building an accurate IT asset list almost always requires a lot of gumshoeing to correlate the results reported by the tools with what is actually in place. That said, it is a worthwhile endeavor as if you don’t know what you are actually trying to protect, it is hard to protect it. Plus, once the basics are done, it is much easier to keep your assets list up to date,” he noted.

“The real challenge will be the requirement to perform vulnerability scans ‘across all discovered assets, including all nomadic/roaming devices (e.g., laptops), every 14 days.’ Again there are lots of tools available, but they tend to be focused on IT assets, not OT or IoT assets. As a result, agencies will likely run into a ‘Pareto Problem’ — common IT assets like servers and workstations (the 80%) will be easy (20% effort), but then all the remaining non-traditional assets will take 80% of the effort. With the explosion in both OT and IoT products in the last decade, few agencies will escape this pain: think security cameras, badge readers, HVAC systems, and even soft drink machines as connected devices that will take a lot of effort to scan safely and reliably. Agencies with OT assets (such as air, water, or land monitoring and management) will have an even tougher time.”

He also says that this publication is a first step towards enforcing cybersecurity vigilance on connected assets, and that asset management is a step towards software supply chain security and Software Bills of Materials (SBOMs).

“Without comprehensive asset management, agencies will be unable to effectively use SBOMs to manage risk posed by asset components or libraries. SBOMs will require new tools to take advantage of all the new security capabilities they offer. They are also likely to expose a tsunami of previously unknown (but dangerous) vulnerabilities that will need immediate attention by staff. Those responsible for complying with this Operational Directive are getting an early warning from CISA: ‘SBOMs are becoming a mandatory security requirement in the next year so get your house in order now.'”