CISA BOD 23-01 broadens cybersecurity baseline for federal agencies, though education, budget reviews likely hurdles

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released earlier this month a Binding Operational Directive to make more measurable progress toward enhancing visibility into assets and associated vulnerabilities across all federal civilian executive branches (FCEB) and the agencies operating those systems. The CISA BOD 23-01 mandates federal civilian agencies to conduct continuous and comprehensive asset visibility and vulnerability enumeration for all IP-addressable networked assets across IPv4 and IPv6 protocols. 

Advancing the priorities outlined in U.S. President Joe Biden’s Executive Order 14028, the CISA BOD 23-01 lays down that by Apr. 3, 2023, the current technology asset management solutions and services must be improved upon to achieve the specific requirements identified within the directive. These essentials include automated asset discovery every seven days and vulnerability enumeration across all assets every 14 days. It also calls for automated ingestion of enumerated results to the CDM federal dashboard within 72 hours while maintaining the operational capacity to perform on-demand asset discovery within 72 hours of a request from CISA.

A binding operational directive is a compulsory direction to the executive branch, departments, and agencies to safeguard federal information and information systems. CISA BOD 23-01 applies to any agencies operating as an FCEB agency, such as the Department of Justice (DOJ), the Department of Education, and the Department of Health and Human Services. It also applies to any entity acting on behalf of an FCEB agency that ‘collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.’

Last month, the Office of Management and Budget (OMB) rolled out a memorandum pushing federal agencies to enhance the security of the software supply chain, driving a sense of urgency. The initiative aims to bolster the cybersecurity posture of federal systems and provide safeguards from the persistent threats and attacks launched by the nation-state and criminal hackers seeking to steal sensitive information and intellectual property from such environments.

Mandiant recently reported that about 26 percent of the time, actors gain initial access through the exploitation of public-facing applications, which underscores how critical it is for organizations to maintain an up-to-date inventory of assets and vulnerabilities. Moreover, the data holds across both public and private sector entities, including federal government agencies. 

Industrial Cyber reached out to industrial cybersecurity experts to evaluate the feasibility for FCEB agencies to bring about continuous and comprehensive asset visibility and vulnerability enumeration as mandated by the CISA BOD 23-01 on their assets. They also analyze the shortcomings these agencies will likely face as they work toward meeting the CISA mandates.

Paul Smith, CTO at OT and IoT cybersecurity company SCADAfence, said that he can’t speak on all FCEB agencies, but certainly, in the last six years as the passive IDS (Intrusion Detection System) market has erupted onto the scene there has been a massive adoption rate in nuclear, energy, water, transportation, and others.  

“IDS technology provides continuous monitoring and asset identification which certainly addresses the requirements for 7-day automated asset discovery and the vulnerability enumeration of these devices every 14 days,” Smith told Industrial Cyber. “Even though the adoption rate has been high, it has remained mainly focused on key verticals and hasn’t been widely spread across all agencies due to the lack of enforcement in my opinion.” 

Smith said that the biggest hurdles would be education and budget reviews for cybersecurity as traditionally, products were installed, and asset owners felt that they checked the compliance box and there were no repercussions for doing the bare minimum. “I think CISA releasing (BOD) 23-01 is a great step in the right direction as it encourages agencies to look beyond the historic narrow, tight, legacy budgets and technology of cybersecurity and expand to more modern solutions to monitor and protect their environments,” he adds.

From an IT perspective, it is 100 percent feasible and candidly is the minimum agencies should already be doing, Richard Robinson, chief executive officer of Cynalytica, told Industrial Cyber. “However, the directive tosses in the term ‘operational technology asset’ in the directive, almost as an afterthought, and then does little to better define what are OT assets for the agencies.” 

Robinson also pointed out that the directive does state ‘asset that is assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, regardless of the environment it operates in.’ It then proceeds to list IT assets only, such as servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers, and not OT assets like PLCs, HMIs, and field devices. He also raised the presence of non-IP assets that are part of the operational network.

“There should be a separate directive that is more tailored to operational technology environments and does not conflate IT and OT as if they are the same,” Robinson adds.

Analyzing the challenges and shortcomings of agencies in carrying out the CISA BOD 23-01, Robinson says they will continue to be the same ones that have plagued them for decades. “Access to funding, proper training for employees, retention of trained employees, and the ability to evaluate and select the appropriate technical solutions for their respective agencies and, if they are not already doing much of what is in the directive, knowing where to start will be challenging,” he adds. 

Paul Veeneman, an IT|OT|ICS| cybersecurity and risk management professional, told Industrial Cyber that over the last decade, most agencies have been addressing the challenges of technology asset inventory management and monitoring. “Managing tens of thousands or hundreds of thousands of assets can seem insurmountable. However, asset management ‘is a building block of operational visibility’ for assessing posture, vulnerability, risk, remediation, and resolution of technology assets and information systems.”

“Automation will be critical in meeting the requirements for continuous and comprehensive asset visibility,” Veeneman said. “Agencies that have full-featured technology asset management solutions in place should be able to take advantage of automated and integrated functionality to achieve most of the asset discovery and vulnerability enumeration requirements if they are not already doing so. Agencies whose solutions are deficient in automation features or functionality will need to review potential replacement options and investment,” he adds.

Veeneman expects budget, time, and resource constraints will presumably contribute to success factors for all agencies in meeting the directive’s requirements. “Budget, time, and resource constraints will presumably contribute to success factors for all agencies in meeting the directive’s requirements. Agencies that already have systems and solutions in place will have an easier path to meeting goals and objectives, while agencies that do not will have to overcome those limitations. Automation will surface as a critical success factor. There simply aren’t enough hours in the day for a reasonable number of human counterparts to complete the tasks and activities at scale that automated asset management solutions can when we are talking about tens of thousands or hundreds of thousands of assets,” he analyzes. 

Following the Log4j and SolarWinds attacks, assessing if the mandated actions of the CISA BOD 23-01 are sufficient to strike out malicious threats and attacks firmly is crucial. Another key factor is the effect of the CISA mandates on the cybersecurity posture at FCEB agencies.

Smith agrees that this is a great starting point; asset visibility and vulnerability awareness are the perfect building blocks to develop a strong cybersecurity posture and practice. “Speaking directly to Log4j and SolarWinds type of supply chain attacks, these are of a more advanced nature and require a more sophisticated solution. Providing the basics of asset visibility and detection of widely published vulnerabilities should be already included in an agency’s cyber detection arsenal,” he adds.  

“The fact that CISA is publishing these actions tells me that the vast majority are failing to meet the lowest level of requirements,” Smith highlights. “There are now systems and products hitting the market that will allow for agencies to ensure that they are being provided with a certified SBOM (Software Bill Of Materials) which would go above and beyond asset identification.”

Robinson said the mandated CISA actions are “absolutely not” sufficient to eliminate malicious threats and attacks. “The directive goes as far as admitting this when it states that, ‘while the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level.’ It is clear that the directive is trying to codify the low bar as a baseline,” he adds.

Judging the effectiveness of the CISA mandates on the cybersecurity posture at FCEB agencies, Robinson said that his experience has been that this will probably have a low net marginal effect on the cybersecurity posture at the agencies. “It really is just directing agencies to ensure they are doing the minimum. It may have a derivative consequence in driving executive awareness to more efficiently resource asset visibility and vulnerability detection,” he explains.

Veeneman points out that “ironically, SolarWinds would be a component of the asset management requirements for continuous monitoring and reporting. If the component that is responsible for the asset management, monitoring, and reporting is compromised at the software supply chain level and provides invalid or erroneous asset management and tracking information, reducing the capacity to identify, remediate and resolve vulnerabilities, then the integrity of the process itself is compromised.”

“This is analogous to Operational Technology (OT) cybersecurity and being able to validate and trust the field and process level sensory and instrumentation data being sent to the PLC, SCADA, or HMI systems,” according to Veeneman. “If the data is erroneous, then the technician, operator, or engineer are unlikely to respond accordingly and take the effective and appropriate action.”

Veeneman adds that while CISA BOD 23-01 includes ‘any federal information system used or operated by another entity on behalf of an agency,’ this would not include the asset management, monitoring, and tracking of the SolarWinds development platform assets that were compromised and allowed the malicious code to be deployed to the software build and subsequent distributed updates. “That accountability and responsibility still falls to the external third-party software manufacturer to institute the necessary process and technical controls to ensure the integrity of the software.”

The CISA BOD 23-01 will likely push up investment costs as federal agencies work towards updating technology and processes, with the additional need for staff to execute the mandated tasks. The initiative makes considering the impact on the industry necessary and looking into how these federal agencies deal with these costs continuously as the FCEB agencies work on safeguarding their cybersecurity posture.

“In my humble opinion, it is long overdue, as we have seen multiple cases of breaches, attacks, ransoms, and various other issues that have been plaguing FCEB agencies.  Long gone are the days of antivirus and firewalls being the sole source of cybersecurity protection,” Smith said. “The reason why I keep coming back to technology is because the pool of experienced cybersecurity professionals is dangerously low, and because of the low supply, it really creates an advantage for the potential employees as they can ask the private sector for ever-increasing salaries. This becomes a stress point as typically FCEB salaries do not align with the private sector.”  

Smith adds that either they have to become competitive with the private sector or invest in key technologies that will behave like staff augmentation with leveraging SOAR (security orchestration automation and response), to manage repetitive menial day-to-day security analyst duties and tasks.

Robinson said that, hopefully, agencies would use this directive and opportunity to quickly take a step back and re-evaluate and re-balance their cyber investments, tools, and priorities. “If we are also really going to include operation technology environments, then there needs to be a complete re-evaluation on how we apportion out cyber investments across IT and OT, and in doing so hopefully industry will do a better job at developing and demonstrating technical solutions that can identify and drive bottom line operational efficiencies for the agencies and not just be cyber cost centers,” he adds. 

On the cost factor to the FCEB agencies, Robinson said that he sees the federal agencies not dealing very well with the expenditure. “Typically, unfunded mandates have a short attention span.”

“Most of these agencies, certainly the larger ones, such as the Department of Veterans Affairs, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Department of Health & Human Services have tens of thousands, some over one hundred thousand employees, Veterans Affairs at approximately 300,000,” Veeneman said. “Assuming each employee has at least one or two technology assets, that leaves a staggering number of assets, and the equally staggering budgets currently in place for the basic technology asset management solutions and services that are already deployed.”

Veeneman says that there may already be the capacity to satisfy the first two requirements utilizing current technology asset management solutions and services deployed within some agencies, like the DOJ’s Cybersecurity Program, as part of the agency’s US$3.1B IT portfolio. “Other agencies may experience challenges that are relative to their size and scale that will certainly have an impact on investment costs and budget increases,” he adds.

Meeting the requirement for automated ingestion of vulnerability enumeration results into the CDM Federal Dashboard will largely depend on the current technology asset management solutions in place within each agency, and the ability of these solutions to ‘share’ information securely across transport mechanisms, such as proprietary or open APIs, Veeneman says.

“The CDM Program has had incremental successes to date, including the implementation of CDM Hardware Access Management (HWAM) in 2021 that provided the Department of Veterans Affairs (one of the largest agencies with 300,000+ employees and associated technology assets) with enhanced security operations visibility for hardware technology assets across the enterprise,” according to Veeneman. “Considering that portions of the foundation are already in place, there is the potential for cumulative progress over the coming months and year in collaborative efforts between CISA and the FCEB agencies, building on some of the previous success in recent years.”

With the CISA BOD 23-01 focusing on asset discovery and vulnerability enumeration, FCEB agencies will likely face challenges when protecting their networks. The experts focused on some of these factors federal networks face when safeguarding their operating environment. 

Focusing on supply chain issues, Smith said that numerous backbone technologies live inside FCEB networks and systems that get blindly updated/upgraded by vendors under a ‘Trust Model.’ “No one really, till relatively recently, has questioned the underlying dependency nightmare of these big shop vendors updating equipment and software which are riddled full of vulnerabilities.”  

Smith shares that he was looking at an industrial network switch with zero public vulnerabilities just the other day. “However, under the hood, when analyzed, there were 12 crypto key pairs, both the private key and the public key, available inside the firmware alongside three hardcoded root and administration passwords. This means anyone who gains access to this firmware can recover the private keys and utilize them for a forked attack.”  

“The NVD (National Vulnerability Database) has no recorded vulnerabilities but running the firmware through an SBOM evaluation tool popped this information within minutes of analysis,” Smith said. “When FCEB agencies start to explore implementing continuous monitoring solutions to address asset discovery and vulnerability enumeration, they should make special note to see if any of these vendors have the ability to capture firmware versions and validate if there is a certificate of SBOM for them. This will help early detection when third-party engineering firms update switches, routers, gateways, and various other software/hardware technology inside the federal networks,” he adds.

Robinson said that mandating discovery and vulnerability enumeration is really the low bar. “We all agree that you can’t protect what assets you don’t know you have (or don’t have), and you also need to know, at a minimum, the vulnerabilities and threats to those assets. But then what? Patching, baselining, monitoring, incident preparedness, and response, staff training and education….) It’s clear that there are plenty of challenges beyond this directive for FCEB agencies,” he adds.

“Sticking with the logical progression of the directive, the next elements would most likely be around binding compliance in patching, baselining, monitoring, incident preparedness, and response,” according to Robinson. “As the directive did, underwhelming, declare operational technology assets as part of the binding operational directive, the impending conversation around who ultimately owns and is accountable for safeguarding OT assets and environments for FCEB agencies must be had. IT is not OT!” 

Robinson adds that most IT organizations are ill-equipped to properly understand or know how to manage OT environments. “This is not only an FCEB agency problem but an industry problem.”

“Looking at various cybersecurity and compliance frameworks and guidance from organizations such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the International Society of Automation (ISA), asset management is consistently a primary focus and lays the foundation for any cybersecurity program,” Veeneman said. However, he adds that effective programs also incorporate additional methods of protection, creating layers of defense to mitigate risk to sensitive and confidential information, critical business and operations systems, and ensuring the uptime and availability of vital systems.  

Veeneman also said that agencies must continue to improve holistic approaches to cybersecurity awareness and education, testing against phishing and social engineering threat vectors. “Agencies should understand the classification of data and information, developing data sensitivity tagging to aid in data loss prevention and data visibility across networks and the enterprise,” he adds.  

Most importantly, agencies examine the technology assets, prioritize the critical systems, determine the impact of loss, and set the appropriate contingency and recovery plans, testing these on determined recurrence, ensuring that if there is the potential of an exploited vulnerability against an asset by a threat actor, that there is effective response and resolution, Veeneman concludes.