The latest cyber order from the Cybersecurity and Infrastructure Security Agency isn’t just about fixing known problems in networks and systems.
It’s about giving agencies and industry intelligence to make stopping or limiting hackers’ ability to be successful in a more efficient way.
Michael Duffy, an associate director at the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department, said agencies should view the Binding Operational Directive from November as a way to become better cyber defenders.
“This wasn’t intended to stop the firefight. It was really meant to be a better way that CISA and agencies are fighting fires, and in a smarter, more effective way,” Duffy said on Ask the CIO. “Underlying the core value add that we were looking to present with this directive is the known exploited vulnerabilities catalog — the first of its kind across government and the first of any type of a dynamic list that CISA has presented transparently and open to the public, not just the federal sector. So anyone who wants to be part of this effort to focus on the right things to buy down risk can be.”
Through the November BOD, CISA is asking agencies to do two things. First, the directive gives agencies two weeks to address 90 exploits identified in 2021. Second, it gave agencies six months to address about 200 exploits identified between 2017 and 2020.
Agencies also have two months to review and update their internal vulnerability management procedures in accordance with the new directive. CISA told agencies to “automate data exchange and report their respective directive implementation status” through the continuous diagnostics and mitigation (CDM) dashboard.
CISA has been adding vulnerabilities to the catalog regularly. Between November and December it added 24 new ones and added 15 more since Jan. 1.
Buying down cyber risk
Duffy said the goal of the catalog is to help agencies manage the volume and severity of the vulnerabilities.
“This is really meant to be a six-month effort to sprint toward buying down that risk. That’s the first step. The second moving forward is how this changes the game. We don’t want to have 20 emergency directives every year. We want to refer to one strategic directive BOD-2201, to say, ‘when you’re seeing these updates immediately take action within these two weeks.’ That’s traditionally what we’ve asked for in emergency directives. So this really just scales and makes notable our expectations on agencies,” he said. “The last two actions that are often seen as kind of administrative or managerial, and really, really important for what it means to sustain this effort as a government. The third is really to make sure that agencies are sharing information with each other and DHS as they’re finding challenges and understanding the barriers that they have to patch quickly. That’s something that goes beyond just reporting. It’s really how the government is making sense of these long standing common challenges that we’re seeing, and finding ways that we’re able to tackle them really as a community and not just as a one off. The last is enhancing your own internal procedures to do vulnerability management. That one kind of sounds like an on-the-side type of task. But this is really, really important because it gives agencies a chance to take a look at their current state, identify the best practices, maybe they have heard from CISA or agencies as we’re taking these actions and build up the next phase, the more enhanced procedure that really incorporates this new mindset, this shift in the way that we’re managing vulnerabilities across the federal space.”
Over the last few months, CISA has started to see that change in how agencies are managing their vulnerabilities.
Duffy said this change is happening both from cultural and technology perspectives.
“To really help agencies implement these directives, we want agencies to have them as top priorities so we really put our team to the frontline to make sure that we’re supporting them. We are doing everything from interagency communications, meeting with the Federal CIO Council, the Federal CISO Council, to holding office hours, which is a fairly new thing. Since the start of the remote work environment, we hold weekly office hours after directives are issued where we can answer questions. It’s just kind of a more informal chat between technical teams. It’s gone very well for us and allows that kind of sharing across agencies,” Duffy said. “The other things that we’re doing for the binding operational directive is really going out to individual agencies, seeing what their current posture is when it comes to patch and vulnerability management and providing direct technical assistance where needed as they’re finding those. I like to call it the final mile or the last 3%. If we can’t patch these for these reasons, like it’s legacy technology and so we need to put in a Technology Modernization Fund proposal just to do this, those are really important discussions that we’re having across the interagency and gives us that sense of what agencies actually need from us both in services or support or assistance.”
Finding a common solution
In those meetings with agency technical teams, CISA is relying on the CDM dashboard to pinpoint areas that need extra attention.
He also said the office hours help CISA identify pain points, approaches that may not be working well or potential exceptions to the BOD.
“They’re also giving a hint to our CISA team about the types of things that might be the next strategic directive,” Duffy said. “If we hear from dozens of agencies that a certain technology or a certain approach they’re taking just isn’t working, it’s something that we really want to take to heart and find a better way to present a common-to-many solution. I think that’s a really important tool.
Under CDM, a key feature has been helping agencies know what devices are on their network and then using the dashboard to track the status of those devices. Last fall, CISA released a request for information to push CDM one step further and bring in end point detection and response capabilities.
Duffy said as part of the BOD’s implementation, CISA is making a final push to complete the initial implementation of CDM capabilities, including vulnerability management and asset management.
“We are going back to make sure that agencies are 100% deployed with these capabilities and the data is fully integrated to the dashboards so that they can leverage those tools to not only identify what needs to be patched and identify vulnerabilities on their networks, but also make sure that they’re taking all steps they can with technology to apply patches quickly,” he said. “That really does help an agency address the hundreds of vulnerabilities in the catalog, possibly add automation and make sure they have the right technical expertise. All of that is really critical at this point.”
Duffy said through the CDM dashboard is how CISA also will hold agencies accountable for meeting the goals of the BOD.
He said agencies must report the status of patching vulnerabilities as part of the reporting process under the Federal Information Security Management Act (FISMA).
“We are making sure that as agencies are taking the time to account for their current state, providing it into a mechanism and an approach that they are already used to. It’s not a new reporting regime. It’s not a new channel. It’s something that we’ll collect centrally for the time being, so that agencies can give us a sense of where they are. We can dig a little bit deeper into making sure that they’ve truly addressed all of these critical vulnerabilities,” he said. “I will note that I say for the time being because back to CDM, it can’t continue to be a manual process. I don’t want to see any agency CIOs having one list for their own assets and devices, another list with CISA known exploit vulnerabilities and manually comparing the two. Industry partners are playing a huge role and feeding this into their products. The CDM program is ensuring the dashboard is fully integrated, or even have a view that agencies can have to really understand where they are in this specific directive. And that all matters. We are already seeing that at a good number of agencies right now that have that at their fingertips as we speak. But we have to provide that alternative reporting, while we’re waiting for 100% across all agencies.”
Binding Operational Directive 22-01 Overview
Implementation for BOD 22-01 for Agencies
The Prioritization of Patching Vulnerabilities
EDR Capabilities Request
This program is sponsored by
Please register using the form on this page or call (202) 895-5023.
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.