CISA ready to take CDM program into the world of OT

The Cybersecurity and Infrastructure Security Agency’s goal for year 12 of the continuous diagnostics and mitigation program is quite simple.

CISA is focused on operationalizing current cyber tools to make sure agencies are getting the full value out of them.

Matt House, the program manager for the CDM program at CISA, said this new focus is non-trivial when it comes the 100 or so federal civilian agencies using CDM.

“For us, priorities for the fiscal 2024 include getting to the point where, we are declaring our asset management efforts, related to traditional endpoints of network servers, workstations, laptops and desktops to complete. We’re very close there,” House said on Ask the CIO. “But we recognize that asset management as a family of capabilities is not done yet. We’re about halfway through on mobile asset class work, so that’s going to continue hot and heavy this fiscal year. We began some pilots on some of that similar capabilities for cloud assets in 2023, and so in 2024, we expect to continue to ramp that up as another broad class of assets that we want to bring under management and under visibility, if you will.”

In addition to traditional IT end points, CDM will venture into internet of things and other connected devices that are considered non-traditional or operational technology.

“From an asset management perspective, it’s starting to tackle those or continuing to tackle those other asset classes. The path and timeline will vary as you think across those different assets in terms of what that’s going to look like. But our objective is the same for all which is to have parity in terms of visibility,” he said. “Fundamentally, these devices are not radically different than some of our traditional endpoints. But there’s a much greater breadth of implementation and quirkiness, if you will, to some of these devices. We are now evaluating some of those products that have been introduced into the market in the past few years that are a little bit more purpose built and tuned for dealing with sensing on IoT devices. With traditional endpoints, it’s more straightforward where we can do things like deploy an agent, and that agent can run locally on that device to sense all of the needs and report back. With IoT, and with some of these other things that we need to report on and ensure we have visibility to in the network, that’s a little bit more like remote sensing, and so there’s some technical nuance there that we’re trying to isolate through the use of maybe some purpose built tools.”

House added CISA will try to better understand the current tools and capabilities in the commercial market today and how they could take advantage of them.

FISMA’s focus on OT systems

CDM’s move to include more OT system data comes as part of a broader governmentwide effort to better manage and secure these non-traditional systems.

In the Office of Management and Budget’s 2024 Federal Information Security Management Act (FISMA) guidance, agencies must establish an enterprise-wide inventory of their agency’s covered IoT assets by the end of fiscal 2024. These OT systems include everything from industrial control systems to building management systems to fire control systems to physical access control mechanisms.

“Inventorying agency IoT assets, including those that qualify as OT, is critical for ensuring the cybersecurity posture of an enterprise, as these assets are increasingly interconnected with IT hardware and software. An inventory enables agency CIOs and CISOs to gain visibility over their connected devices and systems, apply appropriate controls (such as those set out in NIST SP 800-82 and NIST SP 800-213), and make risk-based decisions about mitigating against cybersecurity threats,” OMB wrote in the guidance sent to agencies in December. “Additionally, an inventory enables agencies to more efficiently identify and mitigate vulnerabilities to ensure a more secure and resilient infrastructure. Inventorying is also a necessary prerequisite to establishing a baseline to enable monitoring and detecting unauthorized, abnormal, or potentially malicious activities.”

As part of its 2024 FISMA metrics sent to agencies in December, CISA is asking for agencies to submit to them the number of systems that include operational technology (OT) and/or Internet of Things (IoT) devices and whether they are low, medium or high impact levels. Then within each of those impact levels, CISA wants to know the number of systems that include Internet of Things devices and the number of systems that include operational technology devices that are considered IoT, based on NIST definitions.

Outside of IoT and operational technology, House said CDM will continue to push the implementation of endpoint detection and response capabilities.

Finishing the rollout of EDR

He said CISA expects to finalize the roll out of EDR across the civilian agencies in 2024.

“The other thing that we’re doing now that’s pretty exciting and probably the single most significant effort that we’re going to undertake this fiscal year is enabling what we call persistent access capability (PAC) through EDR, which is the unique capability that we’ll have in CISA to be able to have our threat hunters and cyber analysts have visibility across the EDR implementations in the federal civilian agencies,” he said. “That’s super transformative in terms of being a force multiplier for agencies from a cyber defense and cyber response perspective. It’s actually a very straightforward, easy thing for us to enable from a technical perspective, provided agencies have hit critical mass on their EDR implementations.”

A lot of that data from PAC and EDR go into agency and CISA’s CDM dashboards. House said over the past few years CISA has taken several steps to bring the dashboard into a good place in terms of capability and usage across the government.

“A push for us this fiscal year is to get more agencies on boarded into our hosted version of dashboard. The dashboard-as-a-service takes away some of the complexity, costs and concerns that agencies have of running their own instance of their agency dashboard and we will host it for them. It allows for a lot more economies of scale for us that I think give us and the agencies the best of both worlds,” he said. “The other things from a dashboard perspective I’m excited about is as part of our last release in fiscal 2023, version 6 of the dashboard, is we turned on some capability related to automating some FISMA metrics reporting. We’re just starting to do that. I think we’ve got a couple toes in that pool now and we will be continuing to expand that during 2024. That’s going to become a big area of emphasis for us because it’s relatively low lift for us. It’s relatively low complexity and risk. I think [everyone] would agree that it adds a lot of value in terms of getting out of the manual quarterly reporting cycle for some metrics that are ready for automation.”

House added the automation of certain FISMA metrics means directly relates back to the operationalizing CDM goal. He said it gives cyber analysts and defenders more time to focus on defense and risk mitigation and not on reporting data.

That is especially true for one more capability CDM is planning for in 2024, over-the-air updates to the dashboard.

House said version 6 includes that ability to push content updates more quickly.

“What we’re going to be doing a lot more this year of is pushing out content updates that have no security impact to agency dashboard. They don’t need to go through a rigorous agency based code review or security review,” he said. “We can push these things out and when we have the vulnerability of the week, the latest greatest vulnerability comes out that everybody’s got to jump on, we can have a purpose built dashboard visualizations in the federal dashboard and we can push those out to the agency dashboards to give agencies that very timely heads up display of how to how to go kill the monster of the week. That’s a big thing for us because it’s leveraging, again, capability that we built that we’ll want to continue to maximize to really drive operational use of the dashboard at the agency level.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.