CISA's new directive targets devices that can be configured over public internet
A new binding operational directive from CISA requires agencies to safeguard devices that use remote management network protocols. Valerii Minhirov / GETTY IMAGES
By
Chris Riotta
The nation’s cyber defense agency is requiring all federal civilian agencies to remove such devices from their networks.
The Cybersecurity and Infrastructure Security Agency has issued a new binding operational directive requiring agencies to enhance protections for devices on federal information systems that use network protocols for remote management over public internet — or remove them from their networks.
The new directive applies to devices like routers, switches, firewalls and load balancers that allow agency administrators to provide remote configurations through a management interface accessible over public internet using HTTP, remote login services or file transfer protocols, among other methods.
Many federal agencies employ consumer devices that provide configuration and management capabilities over the public internet. Under the new directive, agencies can only leverage devices that feature management interfaces exclusively accessible from inside the enterprise network through a management jumpbox separate from the device or through enforcement points that employ zero trust principles.
The new BOD comes amid an apparent uptick in attacks aimed at misconfigured network gear, according to Ari Schwartz, coordinator of the nonprofit Center for Cybersecurity Policy and Law and a former White House cybersecurity advisor.
One report published earlier this year identified more than 8,000 misconfigured web servers on the internet that are susceptible to hacking, potentially exposing sensitive data like passwords, backup files and database information.
CISA "does its best work with federal agencies when looking for something that they can scan for externally on agency networks, allowing it to directly point out exactly what agencies need to change," Schwartz said.
"The directive seems perfectly tailored to both address a growing need and allow CISA to succeed in helping address the problem," he added.
The nation's cyber defense agency warned last year in an advisory that cyber actors were "routinely" exploiting poor security configurations and poor cyber hygiene practices, recommending organizations operate services exposed on internet-accessible systems with secure configurations, in addition to hardening credentials, establishing a centralized log management and maintaining updated software.
CISA Director Jen Easterly said in a statement accompanying the BOD that threat actors are able to leverage network devices "to gain unrestricted access to organizational networks, in turn leading to full-scale compromise.
"Requiring appropriate controls and mitigations outlined in this directive is an important step in reducing risk to the federal civilian enterprise," Easterly added while encouraging all organizations across the public and private sectors to adopt the new guidance.
The guidance gives federal civilian agencies 14 days after identifying management interfaces with access to public-facing internet to remove the devices from their systems and networks or implement zero trust architecture capabilities.