CISA directs federal agencies to track software and vulnerabilities

Federal civilian agencies have been ordered to “better account” for the technology they use and the vulnerabilities that may be within it, according to a statement from the Cybersecurity and Infrastructure Security Agency (CISA).

CISA issued Binding Operational Directive (BOD) 23-01 on Monday outlining efforts federal civilian agencies must make to “identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.”

CISA Director Jen Easterly told reporters during a press call that hackers have not stopped targeting weaknesses within unknown, unprotected, or under-protected assets throughout the country’s critical infrastructure and government networks. 

She referenced the scandal surrounding SolarWinds as one of the many reasons why the directive was needed across the federal government. 

“Knowing what’s on your network is the first step for any organization to reduce risk,” Easterly said. 

“While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”  

CISA said that by having a clearer picture of what software and hardware are used across federal civilian agencies, they can be better prepared to “detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.”

The agency echoed Easterly’s remarks, urging private businesses and state, local, tribal and territorial (SLTT) governments to “prioritize implementation of rigorous asset and vulnerability management programs.”

The finer details

CISA said the directive will be considered a success when all federal civilian agencies have an up-to-date inventory of networked assets, a list of software vulnerabilities, data on how often an agency tracks its assets and the ability to send all of this to CISA.

The agency said the discovery of assets and vulnerabilities "can be achieved through a variety of means," including active scanning, passive flow monitoring, querying logs, or in the case of software-defined infrastructure, API query.

By next April 3 all federal civilian agencies need to perform automated asset discovery every week, and have a vulnerability enumeration program across all discovered assets, including laptops, every 14 days.

Agencies will also be asked to perform a similar type of vulnerability enumeration on mobile devices and other tools. The directive orders agencies to be able to initiate on-demand asset discovery and vulnerability enumeration within 72 hours of a request from CISA. 

The directive provides a range of timelines for actions agencies need to take once CISA publishes more technical requirements. 

Agencies will provide CISA with a progress report 6, 12 and 18 months after the release of the directive.

Easterly told reporters that the directive is part of a more urgent, comprehensive effort to gain better visibility into the risks facing federal civilian networks. 

Since the SolarWinds fiasco in 2020 saw several federal agencies and corporations compromised by malicious code that was added into SolarWinds software, Easterly said Congress and the Biden Administration has given CISA significant support, resources and authority to take stronger action when it comes to protecting federal networks. 

CISA is now trying to get a more granular understanding of federal cybersecurity risks, Easterly explained. 

“This [directive] takes the next step by establishing baseline requirements for agencies to identify those assets and vulnerabilities and this is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage the federal cybersecurity as an enterprise,” she said. 

“That's incredibly important and really reflects our emerging, rapidly-maturing role.”

Two weeks ago, the White House issued similar guidance focused exclusively on software, ordering federal agencies to create a full inventory of the software they use within 90 days.