New CISA Directive Emphasizes Need for Asset and Vulnerability Discovery

On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 23-01, ordering US federal agencies to regularly conduct asset and vulnerability discovery on their respective networks. The goal of this directive is to provide agencies with better visibility into the devices connected to their networks while also providing insight into vulnerabilities those devices possess. 

In this blog post, we’ll cover more details about the directive, what this means to your organization even if you aren’t a federal agency, and what you can do to meet or exceed these new standards.

About the Directive

“The purpose of this Binding Operational Directive is to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” CISA stated in their directive. “While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level.”

By April 3, 2023, federal agencies must:

• Perform automated asset discovery on all agency networks every 7 days
• Perform authenticated vulnerability discovery on all assets connected to the agency’s networks every 14 days, including “roaming devices” (e.g. laptops)
• Where possible, perform vulnerability discovery on agency mobile devices (e.g. iOS and Android)
• Automatically ingest vulnerability discovery results into the CDM Agency Dashboard within 72 hours of discovery
• Develop and maintain the capability to perform on-demand asset discovery and vulnerability detection when requested to do so by CISA

What this Means to My Organization

All federal agencies must comply with the requirements outlined in this directive. However, even if you are not a federal agency you should take notice of the work CISA is doing to elevate the security posture of the United States government. “While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks,” said CISA Director Jen Easterly. “We all have a role to play in building a more cyber resilient nation.” While the primary goal of CISA is to establish ubiquitous federal standards, it does hope to set precedent for the private sector.

It goes without saying that you cannot protect what you don’t know. And that is the primary objective of this directive. “Organizations often don’t know what they have across their infrastructure... That lack of a clear perception of their asset topology leaves them vulnerable to all types of risk,” said Jonathan Reiber, Vice President for Cybersecurity Strategy and Policy at AttackIQ. 

How to Meet or Exceed the Directive

Asset Discovery

Organizations should consider implementing tools that actively scan and collect information about connected devices. While not expressly stated in the Directive, it can be surmised that one of the goals in this objective is to identify rogue or unauthorized devices connected to an agency network. As such, traditional agent-based inventory management tools may not be sufficient to meet this objective. Instead, consider implementing network-based asset discovery tools that actively scan all networks for connected devices. 

In addition to meeting this objective, network discovery tools can provided added benefits such as:

• Generate live network maps
• Satisfy compliance and regulation documentation needs related to your network
• Provide information needed for you to assess your network and ensure it’s designed to support your current and evolving business needs
• Reduce your network risk and rapidly respond to network issues

Vulnerability Detection and Management

By now, most organizations have invested time and resources in implementing patch management processes to help ensure devices are up to date. But how do you know if those processes are working and effective? Vulnerability detection and management adds another layer of visibility by scanning all network-connected devices against a database of known exploits and vulnerabilities to identify gaps in patch management and assign remediation priority.

If not already done, organizations should consider implementing scanning tools that interrogate connected devices for potential vulnerabilities. In our experience, organizations that implement these tools will quickly uncover gaps in their patch management processes that represent high levels of risk to the organization. 

The next step in this process is to prioritize remediation efforts. You will likely have uncovered thousands of vulnerabilities across your networks and may find it difficult to remediate everything. Along with your vulnerability detection tool, consider implementing a complementary visualization tool. These tools ingest vulnerability data from your scanner and present the information in a way that helps you prioritize your remediation efforts. By addressing the highest priority vulnerabilities first you can quickly reduce your risk even with constrained resources.

How NetWorks Group Can Help

For over 25 years, NetWorks Group has been on a mission to deliver security solutions that matter. Specifically related to this Directive, NetWorks Group has solutions to help address asset inventory (NWG Discover) and vulnerability detection (NWG VMP). If you are interested in learning more about these programs, please reach out to sales@networksgroup.com or click the “Let’s Talk” button on our homepage and schedule time to speak with one of our security experts.

‍

###

‍

Published By: Michael Cross, VP of Operations, NetWorks Group

Publish Date: October 6, 2022