Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Features
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

CISA BOD 23-01 transforms FCEB agencies, with progress led by asset detection and vulnerability enumeration

March 26, 2023

Heightened focus on two key operations — asset discovery and vulnerability enumeration — has taken center stage across federal civilian executive branch (FCEB) agencies, pushing them to make measurable progress across their networks.

The headway made by FCEB agencies comes in response to the U.S. Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 23-01, which can be evaluated by measuring the number of federal agencies that have implemented asset discovery and vulnerability enumeration processes. Additionally, it can also be assessed to what extent these processes have been successful in identifying and addressing security risks within the agencies.

The FCEB agencies have been called upon to ensure compliance with BOD 23-01 by Apr. 3, 2023, including developing and maintaining strong asset detection and vulnerability enumeration capabilities with high-fidelity data of all assets. To ensure compliance, agencies should review existing asset detection and vulnerability enumeration processes, identify any gaps, and determine what capabilities need to be developed or improved. These requirements also play a key role in conducting continuous and comprehensive asset visibility and vulnerability enumeration for all IP-addressable networked assets across IPv4 and IPv6 protocols.

Following the goals laid out in President Joe Biden’s Executive Order 14028 in May 2021, the CISA BOD 23-01 compliance deadline of Apr. 3 has called for existing technology asset management solutions and services to be improved upon to achieve the specific requirements identified within the directive. These essentials include automated asset discovery every seven days and vulnerability enumeration across all assets every fortnight. It also presses for the automated ingestion of enumerated results into the Continuous Diagnostics and Mitigation (CDM) federal dashboard within 72 hours while maintaining the operational capacity to perform on-demand asset discovery within 72 hours of a request from CISA.

The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to support them in improving their respective security postures. Its objectives include reducing agency threat surfaces, increasing visibility into the federal cybersecurity posture, improving federal cybersecurity response capabilities, and streamlining Federal Information Security Modernization Act (FISMA) reporting. 

The BOD 23-01 also require FCEB agencies to, by Apr. 3 initiate automated ingestion of vulnerability enumeration results into the CDM Agency Dashboard within 72 hours of discovery completion. They must also develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within seven days of the request.

The CISA move also said that within six months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. It further added that by Apr. 3, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts.

Apart from these provisions, CISA is set to publish data requirements for agencies to provide machine-level vulnerability enumeration performance data in a common data schema. Within 18 months of issuance, it will also review this directive to ensure the requirements remain relevant to the cybersecurity landscape. Lastly, by the end of each fiscal year, CISA will provide a status report to the Secretary of Homeland Security, the director of OMB, and the National Cyber Director identifying cross-agency status, agency asset discovery, and vulnerability management performance indicators.

Industrial Cyber contacted cybersecurity experts to evaluate industry preparedness ahead of the Apr. 3 deadline for FCEB agencies to meet the requirements of CISA BOD 23-01, focusing on visibility and vulnerability. They also provide detail on what has been happening at these agencies, and the measures adopted to improve their focus on visibility and vulnerability across their environments.

Chad Keefer, vice president for federal civilian and FSI at Forescout Technologies
Chad Keefer, vice president for federal civilian and FSI at Forescout Technologies

“Each agency is at a different level of preparedness for the April 3rd deadline. When working closely with agency partners, we’ve identified a multitude of factors that are impacting their preparedness such as change control, stakeholder ownership, network complexity as well as internal agency mandates to name a few,” Chad Keefer, vice president for federal civilian and FSI at Forescout Technologies, told Industrial Cyber. “We have to remember that the goal of the BOD is to help agencies drive measurable progress toward enhancing visibility into their assets and associated vulnerabilities. Many of the agencies’ CDM implementations provide access to such capabilities.”

Keefer added that the CDM program participants are encouraged to follow CISA best practices and NIST’s guidance. “While we can’t speak for any particular agency, as a vendor we believe it’s imperative that all federal networks prioritize continuous discovery upon an asset’s admission to the enterprise.”

Hillary Palmer, regional director, civilian federal at Nozomi Networks
Hillary Palmer, regional director, civilian federal at Nozomi Networks

Most FCEB agencies are well on their way to being compliant with the deadline for their IT assets, since IT asset inventory and vulnerability enumeration has been a funded goal of CDM since 2012, Hillary Palmer, civilian federal at Nozomi Networks, told Industrial Cyber. “However, six months to prepare to add OT asset and vulnerability management to the CDM dashboard is a very short timeline in a federal procurement cycle.” 

Palmer said that most FCEB agencies did not own OT asset inventory and vulnerability assessment tools before BOD 23-01 was released in October, which was in the middle of continuing resolution so no new purchases could be made. “In short, the majority of the FCEB agencies will not be able to meet this timeline and will need to get exemptions or waivers until they do.”

Some FCEB agencies are further along in their OT cyber journey, but before BOD 23-01, OT asset and vulnerability enumeration was not a widespread FCEB initiative nor were OT cyber products previously funded by CDM, like their IT counterparts, according to Palmer.

Grant Geyer, chief product officer at Claroty,
Grant Geyer, chief product officer at Claroty,

Grant Geyer, chief product officer at Claroty, told Industrial Cyber that what is more important than the mechanics of the BOD are the behavioral outcomes it will drive. “Once federal agencies have visibility into the volume and severity of the vulnerabilities within their systems, as well as the potential impact of a successful compromise, the problems will be so clear that decision-makers who do not embrace remediation will shift from a state of ignorance to that of negligence,” he added.

The executives look into the mechanisms that have been put in place to maintain an up-to-date inventory of networked assets, to enable FCEB agencies to improve asset visibility and vulnerability detection on national networks.

“The goal of the CDM program for agencies has always been real-time, automated, continuous awareness of assets,” Keefer pointed out. “This has been a foundational capability of the CDM program since its inception and continues to be critical in helping agencies identify their entire threat profile. Agencies have access to a number of tools – maybe too many.” 

Keefer added that resourcing and subject matter expertise can often be an area where improvements are necessary. “We find that many of our customers are responsible for an increasing number of toolsets and mandates with little to no support from additional headcount.”

FCEB agencies have put products and processes in place to meet CDM IT asset and vulnerability requirements over the life of the CDM program, Palmer said. “Those processes have not yet extended to the OT environment, therefore most agencies are not properly equipped for asset visibility and vulnerability detection on Federal networks,” she added.

Geyer said that the good news is that CISA provides a lot of support and guidance to help federal agencies prioritize their efforts to address these vulnerabilities. “While the amount of vulnerable software out there is mind-boggling, only 3% of it has known exploits. Using this simple guidance from CISA, agencies can move swiftly to address the most high-risk areas in their environments.”

As the new rules come into force, the executives outline how frequently the FCEB agency would monitor how it enumerates its assets, what level of asset coverage it achieves, and how current its vulnerability signatures are.

Keefer said that ensuring full visibility of all assets is fundamental to an enumeration strategy. “Having real-time awareness of assets along with their connectivity profile across the network ensures a comprehensive view of the asset landscape and associated attack vectors that could be potential avenues of exploitation. Automating rules to examine connection and/or authentication events would yield a large set of asset information that could then be stored within a repository such as desktops, mobile devices, cloud images, and OT /IOT.” 

“Networks consist of many enclaves that do different things and service various business silos and functions. Defining the appropriate scope is key to addressing and reporting the level of asset coverage that’s required,” Keefer added. “The fidelity of vulnerability signatures for enterprise assets is critical. It’s a constant battle to keep signatures updated to mitigate the latest threats. I think what’s equally important, along with accurate signatures, is full visibility into the environment – scanning only a percentage of the devices you think you have presents a huge attack surface.”

Palmer said that although BOD 23-01 only mandates every 72 hours most technologies can provide a real-time continuous inventory of enumerated assets and vulnerabilities in their IT environments. “100% coverage of OT assets and vulnerabilities within 1 year of deployment should be an agency goal. With the proper OT asset and vulnerability tools in place, FCEB agencies can achieve the same visibility in their OT environments as they currently have in.”

“An often overlooked set of assets that are in scope of the BOD are operational technology (OT) assets,” Geyer pointed out. “These systems that control building automation, provide clean drinking water, and power electric grids are becoming increasingly connected assets and therefore increasingly exposed to new threat vectors.”

When dealing with software vulnerabilities, the executives provide measures that FCEB agencies can adopt to provide for vulnerability enumeration that identifies and reports suspected vulnerabilities on those assets. They also assess how quickly these vulnerabilities can be dealt with once identified.

“Any vulnerability scanning program needs to function in real-time and with personal-based priority established so that the most critical external facing systems are known and protected,” Keefer said. “Scans conducted weekly could miss essential activity that comes and goes from a network at a moment’s notice. Ensuring a continuous process in which data is collected and analyzed that establishes the remediation timeframe.”

Agencies should follow the defined vulnerability remediation process (NIST 800-40) outlined in their risk mitigation policy for ‘Critical,’ ‘High,’ ‘Moderate,’ and ‘Informational’ issues, Keefer highlighted. “Once discovered, vulnerabilities follow a process to establish priority, possible remediation, and continued monitoring. Best practices state critical vulnerabilities are to be remediated within 15 days, and high vulnerabilities are to be remediated within 30 days.”

“In an OT environment, identifying vulnerabilities is critical to understand an agency’s risk posture,” Palmer commented. “However, because of the sensitivity and zero downtime thresholds in most OT critical Infrastructure environments, it is unlikely that all of these vulnerabilities will be able to be mitigated.  In these instances, compensating controls like real-time OT monitoring solutions are necessary to mitigate risk and their deployment must be accelerated,” she added.

The executives determine factors that these agencies must keep in mind when requesting CISA’s assistance in conducting an engineering survey to baseline current asset management capabilities.

Keefer said validating the tools requires the use of the RFS Process to see all assets. He encourages agencies to obtain training and request for conducting an onsite review via adoption engineering services.

“CISA has provided both products and services through the CDM program for the past 11 years to help FCEB agencies obtain their IT asset inventory and vulnerability assessment information,” Palmer said. “However most FCEB agencies don’t have the products or processes built to implement asset and vulnerability parity for their OT assets. Agencies must keep OT assets and vulnerabilities in mind when asking for CISA’s assistance.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats