CISA orders federal agencies to catalog their networks, and scan for bugs

You always want to know what is attached to your network. And whether it could be vulnerable or not.

In any organisation it’s normal for different devices, on- or off-prem, wired or wireless, to be constantly added or removed – and this can present an opportunity for malicious hackers to take advantage of improperly secured systems.

In many cases, organizations have no idea about how many assets they have, let alone where they are all located.

The answer is to perform regular automated scans to discover what assets are connected to your infrastructure, and enumerate any vulnerabilities that may be present.

The US Cybersecurity and Infrastructure Security Agency (CISA) told federal agencies on Monday that they will soon be required to keep track of assets and vulnerabilities on their networks.

By April 3 2023, all Federal Civilian Executive Branch agencies are required to ensure they are taking the following actions:

• Perform automated asset discovery every 7 days, which at a minimum must cover the entire IPv4 space used by the agency.
• Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (for instance, laptops), every 14 days.
• Automatically feed details of detected vulnerabilities into CISA’s Continuous Diagnostics and Mitigation (CDM) dashboard within 72 hours.
• Develop and maintain the capability to initiate on-demand asset discovery and vulnerability enumeration, in order to identify specific assets or vulnerabilities within 72 hours of receiving a request from CISA – and then provide the results back to CISA within 7 days of request.

When informing the media of the new directive, CISA director Jen Easterly highlighted the SolarWinds attack, where a sophisticated hacking group was able to use a poisoned update to the network management software to compromise networks inside government departments, critical infrastructure, and the private sector for months.

“If you’ve heard us talk at all about this, we have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” said Easterly. “This was obviously a gap illuminated by SolarWinds.”

A key factor for organisations trying to defend themselves against attacks like SolarWinds is to be able to identify quickly the existence of compromised software on a network.

CISA says it will publish a common vulnerability-reporting data format within six months which agencies can use when feeding information into the CDM dashboard.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.