A major federal cybersecurity deadline has passed. So now what?
The Cybersecurity and Infrastructure Security Agency (CISA) set an April deadline for its Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks. Federal Civilian Executive Branch (FCEB) agencies now must perform automated discovery of all assets residing in their IPv4 space every seven days. In addition, they have to identify and report on suspected vulnerabilities (outdated software versions and misconfigurations, for example) for all discovered assets – including laptops and other mobile devices – every 14 days.
The directive deadline arrives at a time when agencies are struggling to defend themselves from more than 32,500 reported incidents every year. It calls for routine assessments and remediation as needed, and then demonstration of compliance through CISA’s Continuous Diagnostics and Mitigation (CDM) Program.
As is often the case with directives and regulations, government leaders should view their post-deadline state of cybersecurity readiness as a starting-off point as opposed to the finish line. With this in mind, here are two focus areas to strongly consider for visibility, capabilities and controls that go beyond CISA’s requirements:
Cyber intelligence/defense as a continuous process. By April 2024, CISA will review the directive to ensure the requirements remain relevant to the current threat landscape. But chief information security officers (CISOs) and their teams cannot wait a year for CISA to tell them what issues to address. That is something they should constantly assess and respond to, on a 24/7/365 basis via comprehensive external attack surface asset and vulnerability exposure awareness and mitigation.
This emerged as particularly critical during the pandemic up to the present day: The resulting mass work-from-home adoption drove enterprises to swiftly migrate to the cloud to accommodate the business productivity needs of their employees. These migrations created an imperative for stronger visibility and configuration management, whether in a public cloud or private cloud-hosted environment. It was this critical nature that led to BOD 23-01, subsequently pertaining to any internet connected device and cloud-based IT/OT system.
The National Security Agency considers cloud misconfigurations as the leading cause of vulnerabilities in terms of prevalence. To avoid these and additional issues, federal CISOs should carefully examine the MITRE pre-ATT&CK framework, which reveals how adversaries perform reconnaissance on their targets through active scanning and the gathering of victim host, identity and network information. At this point, they’re looking to profile organizations, identify personas and enumerate all internet-accessible entry points.
CISOs have to stay several steps ahead of such activity, by leveraging programs such as CISA’s CDM to understand system software and hardware inventory, identify configuration/vulnerability issues and raise the visibility of user access so they know who – and what – is on the network at all times.
The “no-touch” rule for critical infrastructure (CI). For far too long, CI owners and operators have taken a “no touch” approach in minimizing security enhancements – even for system components that are internet connected and, thus, bring more potential for exposure.
They’ve resisted adding layers of security out of concerns that these changes may impact operations. Any information made publicly available on the internet is vulnerable to being exposed. Attackers fully realize this – especially those supporting adversarial nation states – and seek out systemic operational weaknesses to exploit.
CISA is advancing the elevation of protection within the enterprise through the CDM program. Those overseeing our nation’s power grids, dams, government facilities, healthcare services and the defense industrial base (DIB) should take advantage of this support, so they can conduct external attack surface enumeration and identify vulnerabilities. This includes those listed in CISA’s Known Exploited Vulnerability (KEV) catalog. More than ever, modern tools enable security capabilities that are increasingly advanced and less obtrusive at the same time, so that protection is not only effective but friction-free.
The CISA deadline is not an end point – it’s a mile marker on a continuing journey on the road to an optimal defense. To ensure they stay on the right path, agencies should identify all of their attack surface assets and vulnerabilities (because their adversaries are doing the same thing) and then take immediate, corrective measures. In doing so, they will make life far, far more difficult for these adversaries, which, of course, makes life far, far easier for themselves.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.