The Office of Management and Budget’s recent FISMA guidance notes the importance of the Cybersecurity and Infrastructure Security Agency’s ability to scan agencies for vulnerabilities on an ongoing basis.
Federal agencies have new directions from the Office of Management and Budget to create an internet of things inventory by the end of fiscal 2024.
OMB issued the requirements in its memorandum to agencies on their implementation of the Federal Information Security Modernization Act of 2014 in the coming fiscal year, released by OMB Director Shalanda Young on Monday.
“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the memo reads. “This includes the interconnected devices that interact with the physical world—from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”
The 2020 IoT Cybersecurity Improvement Act required the National Institute of Standards and Technology to set up guidelines and standards for IoT devices and for OMB to review agency policies to make sure that they’re aligned with NIST.
The required inventory follows active engagement with stakeholders and agencies, OMB says. In the memo, OMB defines what types of IoT assets agencies need to inventory — many of which might be considered operational technology, OMB says — and what information that inventory needs to include, such as information about how it's aligned to requirements and controls like those released by NIST.
OMB says the inventory practice will help agencies gather information to identify and mitigate risks and vulnerabilities. Soon, agencies will have help from a new working group on the CISO Council, which the memo requested to set up IoT and OT security best practices.
“The prevalence and wide range of IoT devices used by federal agencies provide new and more complex vectors for cyber threats,” the memo states. “Strengthening the cybersecurity posture of IoT devices within the federal enterprise requires that we ensure foundational cyber protection measures are in place for all such devices connected to federal systems.”
The memo also lays out other FISMA reporting requirements and deadlines for agencies. The administration says it is building out automated metric reporting changes initiated in 2021.
Agencies should automate reporting on their assets as much as possible, the memo says, noting that the Continuous Diagnostics and Mitigation Program at the Cybersecurity and Infrastructure Security Agency can help them do that.
The memo also makes a point to note that CISA scans “internet-accessible addresses and segments of federal civilian agency systems for vulnerabilities on an ongoing basis” — and that non-invasive scans do not require prior agency authorization. OMB tasks agencies with ensuring that they have points of contact in their security teams with CISA, regularly giving CISA lists of their internet-accessible systems and more.
“Federal agencies should expect that any system accessible over the public internet is being scanned for vulnerabilities by various parties at all times, and factor this into their security operations accordingly,” the memo states.