CISA directive mandates asset discovery, vulnerability enumeration on FCEB agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a Binding Operational Directive on Monday that calls upon federal civilian executive branch (FCEB) agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability enumeration across their networks. The document assesses continuous and comprehensive asset visibility as an essential precondition for any organization to manage cybersecurity risk. It calls for accurate and up-to-date accounting of assets residing on federal networks to manage cybersecurity for FCEB enterprises.

The ‘Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks,’ directive reveals that within six months, CISA will publish data requirements for agencies to provide machine-level vulnerability enumeration performance data in a common data schema. 

The directive also said that annually, by the end of each fiscal year, CISA will provide a status report to the Secretary of Homeland Security, the director of OMB (Office of Management and Budget), and the National Cyber Director (NCD) identifying cross-agency status, agency asset discovery and vulnerability management performance indicators, and outstanding issues in the implementation of this directive (scanning performance monitoring data, including the measurement of scanning cadence, rigor, and completeness). Additionally, CISA will report quarterly progress to OMB.

Additionally, within 18 months of issuance, the security agency will review this directive to ensure the requirements remain relevant to the cybersecurity landscape. Lastly, CISA will monitor agency compliance with the latest directive and assist with a request to support agency implementation.

The directive aims to get federal agencies to maintain an up-to-date inventory of networked assets and identify software vulnerabilities using privileged or client-based means where technically feasible. It also seeks to track how often the agency enumerates its assets, what coverage of its assets it achieves, how current its vulnerability signatures are, and provide asset and vulnerability information to the CISA’s Continuous Diagnostics and Mitigation (CDM) federal dashboard. 

The CDM Program provides a dynamic approach to fortifying the cybersecurity of government networks and systems. It delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by reducing agency threat surface, increasing visibility into the federal cybersecurity posture, improving federal cybersecurity response capabilities, and streamlining Federal Information Security Modernization Act (FISMA) reporting.

The directive mandates that by Apr. 3, next year, all FCEB agencies must carry out automated asset discovery across their federal information systems every seven days. They must also initiate vulnerability enumeration across all discovered assets, including all nomadic/roaming devices, every 14 days. CISA understands that in some instances achieving full vulnerability discovery on the entire enterprise may not complete in 14 days. However, it added that enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within the timeframe.

The agency said that to the maximum extent possible and where available technologies support it, all vulnerability enumeration performed on managed endpoints, including servers, workstations, desktops, and laptops, and managed network devices, including routers, switches, and firewalls must be conducted with privileged credentials. Further, all vulnerability detection signatures must be updated at intervals no greater than 24 hours from the last vendor-released signature update.

The CISA also mandates that where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices and other devices that reside outside of agency on-premises networks. Additionally, all alternative asset discovery and vulnerability enumeration methods (e.g., for systems with specialized equipment or those unable to utilize privileged credentials) must be approved by CISA.

FCEB agencies must also initiate automated ingestion of vulnerability enumeration results, such as detected vulnerabilities, into the CDM Agency Dashboard within 72 hours of discovery completion or initiation of a discovery cycle if a previous full discovery has not been completed. 

CISA stipulated that FCEB agencies must develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within seven days of request. The agency understands that in some instances, agencies may not be able to complete a full vulnerability discovery on the entire enterprise within this period. 

The directive also stated that within six months of CISA publishing requirements for vulnerability enumeration performance data, FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. The data will allow CISA to automate oversight and monitoring of agency scanning performance, including measuring scanning cadence, rigor, and completeness.

“By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity,” the directive read. 

The directive added that six, twelve, and eighteen months after the issuance, FCEB agencies will either provide CISA a progress report that includes any obstacles, dependencies, or other issues that may prevent them from meeting the directive requirements and expected completion dates, or work with the security agency through the CDM program review process outlined in OMB M-22-05, or superseding guidance, to identify and resolve gaps or issues that prevent full operationalization of asset management capabilities, including those requirements in this directive.

The directive identifies asset discovery as a building block of operational visibility, which is defined as an activity through which an organization identifies what network addressable IP assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.

The document said that vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. It detects host attributes and attempts to identify outdated software versions, missing updates, and misconfigurations while validating compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities. It also understands that an asset’s vulnerability posture depends on appropriate privileges, which can be achieved through credentialed network-based scans or a client installed on the host endpoint.

Agencies may also request CISA’s assistance in conducting an engineering survey to baseline current asset management capabilities. CISA will work with requesting agencies to provide technical and program assistance to resolve gaps, optimize scanning, and support achieving the required actions in the directive.

The directive’s requirements advance the priorities outlined in U.S. President Joe Biden’s Executive Order 14028 issued last May, specifically Sec. 7, which works towards improving the detection of cybersecurity vulnerabilities and incidents on federal government networks. It also provides “operational clarity in achieving policy set forth in previous OMB Memoranda, including M-21-02, M-22-05, and M-22-09. Compliance with this Directive also supports BOD 22-01, Managing Unacceptable Risk Vulnerabilities in Federal Enterprise, as it will enable agencies to enhance the management of known exploited vulnerabilities that can be detected using automated tools,” the CISA added.

Last month, the OMB published a memorandum that focuses on enhancing the security of the software supply chain through secure software development practices. The OMB memorandum, built on EO14028, will have a bearing across federal agencies when they acquire any third-party software on the agency’s information systems. Additionally, companies that supply software to U.S. federal agencies should take note of the development as it applies to both current, as well as new acquisition contracts for third-party software products.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.