This month, the Cybersecurity and Infrastructure Security Agency (CISA) issued the latest Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. It directs federal civilian agencies to better account for what resides on their networks and comes after the CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices.
This directive is meant to establish baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA at defined intervals.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly.
“Knowing what’s on your network is the first step for any organization to reduce risk,” added Easterly. “While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”
What It Means for Civilian Agencies And Contractors
Even as the directive is a mandate for federal civilian agencies, CISA has recommended that private businesses, as well as state, local, tribal and territorial (SLTT) governments, review it and prioritize the implementation of rigorous asset and vulnerability management programs.
The concern is that attackers often know more about an enterprise’s computer networks than those working there.
“They gain the initial access into your enterprise, discover all of your assets, and plan angles of attack to achieve their objectives,” warned Snehal Antani, CEO and co-founder of cybersecurity research firm Horizon3.ai.
“It’s critical for all organizations, including federal agencies, to view their enterprises through the eyes of an attacker to ensure they don’t have rogue, misconfigured, or vulnerable assets on their network that could lead to a compromise,” Antani told ClearanceJobs.
“The requirements outlined by BOD 23-01 which includes continuous security testing combined with prioritized fix actions integrated into detection engineering practices, is critical to ensuring organizations are prepared to detect and respond to cyberattacks.”
Building An Accurate Inventory
In addition, many civilian agencies and government contractors largely have lost track of the devices that can connect to their respective networks. All it would take is one trusted but compromised device to pose huge problems.
“It is essential that Federal Agencies have and report an accurate inventory of connected devices. Securing the enterprise is contingent upon knowing and understanding the makeup of an IT environment and asset visibility is a fundamental requirement. BOD 23-01 establishes a 7-day requirement for asset discovery which is a step in the right direction but could be more aggressive,” said Matt Marsden, vice president for technical account management at cybersecurity firm Tanium.
Real-time discovery can be crucial to uncovering blind spots and eradicating shadow IT, Marsden added.
“Not only do defenders need to have a comprehensive perspective of all known devices, but they also require timely alerts as new devices connect to their networks,” he told ClearanceJobs. “Delaying new asset discovery by a day or more can significantly increase risk and exposure.”
Tracking Potential Exposure
Security experts have said the new directive is a step, even a leap forward in the right direction, but there is still more to do.
“CISA is moving forward in setting deadlines for vulnerability enumeration and reporting through the CDM dashboard,” said Marsden. “As new vulnerabilities are discovered Agencies must have the capability to comprehensively scan their endpoints and know within minutes if they are exposed.”
When a critical vulnerability exists in the federal enterprise it is essential to understand the scope of the exposure and to have an immediate path to remediation. Potential adversaries and other bad actors can move quickly. It is an unnecessary risk for there to be unpatched vulnerabilities, misconfigured systems, and data gaps, which all can be quite detrimental to a network’s security.
There is, however, the issue that mobile devices and apps aren’t getting enough attention, at least not to date.
“This initiative directly concerns network infrastructure and does mention mobile devices but only in the context of agency-owned devices. It should be extended to include the increasing threat of the use of downloaded apps on personal devices,” George McGregor, vice president at mobile security developer Approov, told ClearanceJobs via an email.
It could also be argued that it is time to do more with less – meaning that legacy applications need to be removed when possible.
“Agencies must reduce the clutter of legacy applications and reduce the deployment of single-use software,” said Marsden. “It is imperative to secure the software supply chain to reduce the risk of introducing net new vulnerable applications, but agencies must also proactively reduce the number of applications on-hand. Using dynamic software platforms that converge security and operations can be transformational in shifting to a more mature security posture.”