CISA orders federal IT overhaul with automated asset inventory, software scanning

Dive Brief:

• Federal agencies have until next April to maintain automated asset inventories and check for software vulnerabilities, requirements that are part of the Cybersecurity and Infrastructure Security Agency's Binding Operational Directive issued Monday.
• In a compulsory push to safeguard federal systems, agencies will have to begin automated asset discovery every seven days starting in April 2023. They will also need to conduct vulnerability enumeration every 14 days, checking servers, routers, switches, computers, mobile phones and other devices. Agencies will also check to make sure software is up to date and properly patched. 
• The information gathered during the automated searches will be uploaded to the Continuous Diagnostics and Mitigation (CDM) Agency Dashboard for further analysis and oversight, the directive said.

Dive Insight:

The Biden administration has taken major steps in recent months to implement parts of the president’s May 2021 Executive Order, which was enacted after the SolarWinds supply chain attack and ransomware attack on Colonial Pipeline. 

In mid-September the White House announced new guidelines for third-party software use, a move designed to get federal contractors to screen for vulnerabilities before their applications were loaded into federal computer networks. 

The end goal is to help the government gain better visibility into the nation’s IT infrastructure.

“The accounting of internet-connected federal assets could reduce the likelihood of another SolarWinds or Log4j incident and reduce sizable impacts stemming from limited asset inventories and associated software supply chain vulnerabilities,” said Ayan Islam, associate director of cybersecurity and emerging threats, at the R Street Institute.

One of the biggest criticisms after the SolarWinds attack was that state-linked threat actors were able to linger in private sector and federal systems for more than a year without detection. The attack was discovered by FireEye Mandiant, a private sector incident response specialist. 

The new directive is designed to provide additional insights into federal agency systems so officials will be able to spot a software vulnerability before it can be exploited by an outside threat actor. 

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses with unknown, unprotected, or under-protected assets,” CISA Director Jen Easterly said in the announcement. “Knowing what’s on your network is the first step for any organization to reduce risk.”

Comments are closed.