The Cybersecurity and Infrastructure Security Agency is taking a major step towards increasing its visibility into the risks facing federal networks.
Federal agencies will soon be required to regularly scan their networks and digital assets for potential vulnerabilities – and report those findings to the Cybersecurity and Infrastructure Security Agency – as part of a new binding operational directive.
Beginning in April 2023, all federal civilian executive branch agencies must conduct weekly automated asset discoveries and initiate vulnerability enumerations every 14 days. Agencies will also be required to provide automated results from their vulnerability enumeration scans every 72 hours into CISA's Continuous Diagnostics and Mitigation Dashboard.
The BOD is part of CISA's ongoing efforts to gain further visibility into the risks facing federal networks, CISA Director Jen Easterly said during a call with reporters announcing the new directive on Monday.
"We've provided agencies with necessary tools and put in place infrastructure to gain a more granular understanding of federal cybersecurity risks," Easterly said. "This BOD takes the next step by establishing baseline requirements for agencies to identify those assets and vulnerabilities."
The director said the SolarWinds ransomware attack in 2020 highlighted the need for CISA to have further visibility into federal networks so the agency can better serve as the operational lead for federal cybersecurity. CISA will be able to request agencies initiate on-demand asset discoveries and vulnerability enumerations under the BOD, which provides agencies 72 hours to comply with such requests and seven days to provide available results.
Rob Silvers, undersecretary for policy at the Department of Homeland Security described the BOD during the call on Monday as "a powerful example of an important operational step" following recommendations from the Cyber Safety Review Board's report on the Log4J software flaw.
The BOD described asset discovery as "a building block of operational visibility" and necessary for updates, configuration management and other security activities aimed at reducing cybersecurity risks. The directive covers all servers, routers, network appliances and on-premises and cloud devices. It excludes third-party managed software-as-a-service solutions.
Agencies' asset discoveries must cover the entirety of their IPv4 spaces at a minimum. The BOD said CISA will publish data requirements for agencies to provide machine-level performance data within six months, and provide quarterly and annual status reports on federal performance data.
I see this as more of an enforcement mechanism rather than new policy," Ari Schwartz, managing director of Cybersecurity Services at Venable and a former White House cybersecurity advisor, told FCW. "Agencies already are required to scan and report, but CISA has set up a detailed process to monitor implementation of BODs and push agencies to do the work necessary to comply. This seems to me to be an excellent area where CISA can use the BOD process to its fullest extent."
This story was updated October 4, 2022 with additional comment.