CISA rolls out JCDC remote monitoring and management Cyber Defense Plan to address systemic risks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Wednesday the Joint Cyber Defense Collaborative (JCDC) remote monitoring and management (RMM) Cyber Defense Plan that provides a roadmap to address systemic risks. Providing a roadmap to address systemic risks by advancing the security and resilience of the RMM ecosystem, the plan covers RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium-sized businesses (SMBs), and critical infrastructure operators.

This is the first proactive plan developed by industry and government partners through the JCDC as part of the CISA’s 2023 Planning Agenda. JCDC will lead the execution of the JCDC RMM Cyber Defense Plan. 

In January, the CISA, National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Cybersecurity Advisory (CSA) to warn network defenders about the malicious use of legitimate remote monitoring and management (RMM) software. The agencies had called upon organizations to review the Indicators of Compromise (IOCs) and mitigations sections in the advisory. Furthermore, they must apply the recommendations to protect against the malicious use of legitimate RMM software.

Organizations across sectors leverage RMM products to gain efficiencies and benefit from scalable services. These same benefits, however, are increasingly targeted by adversaries – from ransomware actors to nation-states – to compromise large numbers of downstream customer organizations. To reduce these types of risk at scale, JCDC convened key partners across a multi-month process that leveraged deep expertise by vendors, operators, agencies, and other stakeholders. This included contributions from N-Able, Corporate Information Technologies, CNWR, Huntress, Kaseya, and CompTIA.

The RMM Cyber Defense Plan is built on two foundational pillars, operational collaboration, and cyber defense guidance, and contains four subordinate lines of effort. These include cyber threat and vulnerability information sharing that expands the sharing of cyber threat and vulnerability information between the U.S. government and RMM ecosystem stakeholders, and enduring RMM operational community to implement mechanisms for an enduring RMM operational community that will continue to mature scaled security efforts. 

When it comes to operational collaboration, the Cyber Defense Plan recognizes that effective partnerships and collaboration between the government and private sector are the foundation of collective effort to protect the nation’s critical infrastructure. Major RMM vendors have highlighted their willingness and desire to work with the USG; however, available partnerships or forums for sustained collaboration may not always be available or leveraged. JCDC aims to drive collective action across the RMM community to enhance information sharing, increase visibility, and fuel creative cybersecurity solutions.

Addressing cyber defense guidance, the plan said that at the base of the RMM ecosystem, SMBs account for 6.5 million businesses and over 40 percent of U.S. gross domestic product (GDP). 

“Although CISA will continue to implement ‘top-down’ initiatives, i.e. RMM stakeholder engagement, it is imperative to improve ‘bottom-up’ visibility of CISA resources and guidance at the end-user level,’ the plan document explained. “According to a 2021 U.S. Telecom cyber survey, only 13% of small and medium-sized critical infrastructures entities are aware of and/or follow CISA guidance.” 

To improve cybersecurity in the RMM ecosystem at scale, CISA must address fundamental gaps in target audience awareness. This pillar focuses on educating RMM end-users about the dangers and risks to their RMM infrastructure today, and how they can help promote security best practices moving forward. 

The plan also covers end-user education to develop and enhance end-user education and cybersecurity guidance to advance the adoption of strong best practices, a collaborative effort by CISA, interagency partners, and other RMM ecosystem stakeholders. It also delivers on amplification that leverages available lines of communication to amplify relevant advisories and alerts within the RMM ecosystem.

“The RMM Cyber Defense Plan demonstrates the criticality of this work and the importance of both deep partnership and proactive planning in addressing systemic risks facing our country,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a media statement. “These planning efforts are dependent on trusted collaboration with our partners, and this Plan was a true partnership with the RMM community, industry, and interagency partners that contributed time and effort towards this important work.” 

Goldstein added that the collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and the ecosystem. “As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”

The JCDC RMM Cyber Defense Plan aligns with the priorities outlined in the CISA Strategic Plan 2023–2025 and highlights specific lines of effort addressed in the National Cyber Strategy 2023. Per the National Cybersecurity Strategy, JCDC has a responsibility to integrate cyber defense planning and operations across the Federal Government and with the private sector. To support the CISA Strategic Plan, the JCDC RMM Cyber Defense Plan identifies a path forward to reduce risks to—and strengthen the resilience of—America’s critical infrastructure organizations that are dependent upon RMM products. 

The JCDC RMM Cyber Defense Plan was developed by a core planning team, led by the JCDC Planning Office, and included representation from other divisions across CISA, the Federal interagency, and private industry. The components of the JCDC RMM Cyber Defense Plan provide leaders in the RMM ecosystem with the necessary ways and means for sustained, effective cyber defense at scale. 

“Central to the JCDC RMM Cyber Defense Plan is an operational community founded on trust and collaboration to drive joint cyber defense operations,” the document said. “This community ultimately aims to reduce the frequency and impact of cybersecurity incidents across the RMM ecosystem and leverage the prevalence of RMM software across critical infrastructure to scale cyber defense operations.” 

It added that the JCDC places a heavy emphasis on fostering this culture of cooperation and looks to indicators like the number of actively participating organizations, the volume and quality of information shared, and the development and subsequent adoption of shared information, as measures of success and indication of a growing recognition of threats, cybersecurity challenges, and opportunities in this space.

The JCDC has already capitalized on the momentum of collaboration established through this planning effort and has advanced protections through ‘this unique and strategic partnership.’ The enduring partnership provides a proven forum to drive industry-informed objectives aimed at mitigating risk to downstream SMBs and critical infrastructure operators.

In conclusion, the JCDC RMM Cyber Defense Plan said that the ubiquity of RMM software, coupled with the sizable market share of several key RMM stakeholders, positions JCDC to facilitate systemic positive impacts across the cyber domain. Enhancing the cyber resilience and threat awareness of RMM stakeholders can provide downstream benefits to end-users, including SMB owners and critical infrastructure operators. 

“The JCDC RMM Cyber Defense Plan presents a foundation from which leaders across CISA, Interagency partners, and industry partners can suitably align and delineate their respective lines of effort to accomplish key objectives,” it added. “JCDC will continue to lead the execution of the JCDC RMM Cyber Defense Plan, relying on external stakeholders both within and outside of CISA. Public-private collaboration in the RMM ecosystem is, and will remain, a vital component of CISA’s mission to understand, manage, and reduce risk to our nation’s critical infrastructure.”

Last week, CISA published a 60-day notice and agency information collection activities dealing with the ReadySetCyber Initiative Questionnaire. The agency aims to leverage the ReadySetCyber Initiative to provide specialized services that address the unique cybersecurity needs of governments and critical infrastructure entities. Comments will be accepted until Oct. 10, 2023.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.