Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Agencies are starting out Cybersecurity Awareness Month with a new directive to routinely scan their networks for new devices and potential cyber vulnerabilities after recent high-profile cyber incidents exposed a lack of real-time visibility into federal networks.
The Cybersecurity and Infrastructure Security Agency issued a binding operational directive on Monday for “improving asset visibility and vulnerability detection on federal networks.” The goal of the mandate, it states, is to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”
It directs agencies by April 3, 2023, to perform automated asset discovery every seven days, and to identify and report suspected vulnerabilities on those assets every 14 days.
During a call with reporters Monday, CISA Director Jen Easterly highlighted the new directive and referenced the SolarWinds cyber incident, when nine federal agencies had data stolen by suspected Russian government hackers. Hackers were able to use a SolarWinds software update to infiltrate customer networks, where they went undetected for months.
“If you’ve heard us talk at all about this, we have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” Easterly said. “This was obviously a gap illuminated by SolarWinds.”
The new directive also tells agencies by April 3 to automate the reporting of detected vulnerabilities to Continuous Diagnostics and Mitigation (CDM) dashboards within 72 hours of discovering the potential exploit.
Agencies should also “develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request,” the directive states.
Meanwhile, CISA plans to publish a common data format within six months for agencies to use when reporting vulnerability information into the CDM dashboard.
“This data will allow for CISA to automate oversight and monitoring of agency scanning performance including the measurement of scanning cadence, rigor, and completeness,” the directive states.
Improving the detection of cyber vulnerabilities on federal networks and providing that information to CISA are major priorities under last year’s cybersecurity executive order. Agencies have, for instance, updated their agreements with CISA to provide object-level data to CDM dashboards.
Easterly said the directive is the latest step in positioning CISA at the center of federal cyber defenses.
“This is a movement essentially to allow CISA in its role as operational lead for federal cybersecurity to manage the federal sector cybersecurity as an enterprise, and that’s incredibly important and really reflects our rapidly maturing role,” she said.
Rob Silvers, the undersecretary for strategy, policy and plans at the Department of Homeland Security, also cast the new directive as part of the response to the Log4j open source software vulnerability. Silvers is chairman of the Cyber Safety Review Board, which recommended stronger software transparency measures in the wake of Log4j.
“[The directive] is a powerful example of an important operational step taken in furtherance of the board’s recommendations, as are our recent efforts to bolster security in the open source software community and related supply chain,” Silvers said during today’s press call.