CISA directive aims to help federal agencies detect network vulnerabilities

0

“Organizations often don’t know what they have in their infrastructure… This lack of clear perception of the topology of their assets leaves them vulnerable to all types of risks.”

While the CDM program is operated by multiple agencies, including the Department of Veterans Affairs, the Small Business Administration, and the Department of Health and Human Services, CISA’s new board is taking things a step further by requiring all federal agencies to take specific action regarding asset discovery. and listing vulnerabilities by specific dates.

By April 3, for example, all agencies must have the appropriate processes in place to perform automated asset discovery every seven days and vulnerability enumeration on all such discovered assets every 14 days. Reporting this data is also a key part of the directive, as CISA hopes to get a more complete picture of all US government security by better measuring assets and associated flaws in agency infrastructure. Agencies are required to register their vulnerability enumeration in the agency CDM dashboard, and collect and report performance data.

Jonathan Reiber, vice president of strategy and cybersecurity policy at AttackIQ, said the directive is a good requirement for agencies to better understand their assets and represents one of the key elements of the Executive Order’s strategy. the Biden administration last year.

“In general, I’m very supportive of organizations that do ongoing assessments of the assets they have in their inventory,” he said. “Organizations often don’t know what they have in their infrastructure… This lack of clear perception of the topology of their assets leaves them vulnerable to all types of risks.”

As has been the case with other BODs – which are security-related requirements for federal and executive agencies issued by the government – ​​CISA hopes this most recent guidance will set a precedent for private sector entities to follow also, although it is not obligatory for them. As part of a board meeting last year where CISA developed a catalog of known and exploited vulnerabilities that federal agencies need to address, for example, the agency made the catalog public in hopes that private companies would also apply patches.

“While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a full understanding of vulnerabilities that may exist on their networks,” Easterly said. “We all have a role to play in building a more cyber-resilient nation.”

Share.

Comments are closed.