Improving Asset Visibility
and Vulnerability Detection On Federal Networks

by Mark Harris Oct 27, 2022

I was catching up on my govtech reading the other day and came across a new BOD issued by CISA regarding the steps that need to be undertaken ASAP toward cyber-security policy compliance. While they note that this is not the complete set of steps that must be undertaken over the long haul, I think this BOD is a reality-based statement that MORE must be done to combat the risk of cyber intrusion and that NOT enough progress has been made organically over the last 25 years (since the internet became generally available).

From the CISA.gov website:

“The purpose of this Binding Operational Directive is to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities. While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level. The requirements of this Directive focus on two core activities essential to improving operational visibility for a successful cybersecurity program: asset discovery and vulnerability enumeration.

• Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.
• Vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. It detects host attributes (e.g., operating systems, applications, open ports, etc.), and attempts to identify outdated software versions, missing updates, and misconfigurations. It validates compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities. Understanding an asset’s vulnerability posture is dependent on having appropriate privileges, which can be achieved through credentialed network-based scans or a client installed on the host endpoint.”

And the BOD goes on to itemize the REQUIRED ACTIONS needed and timeframes:

“By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in the scope of this directive:

1. 1. Perform automated asset discovery every 7 days. While many methods and technologies can be used to accomplish this task, at a minimum this discovery must cover the entire IPv4 space used by the agency.
   2. Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.

• CISA understands that in some instances achieving full vulnerability discovery on the entire enterprise may not complete in 14 days. Enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within this window.
• To the maximum extent possible and where available technologies support it, all vulnerability enumeration performed on managed endpoints (e.g., servers, workstations, desktops, laptops) and managed network devices (e.g., routers, switches, firewalls) must be conducted with privileged credentials (for the purpose of this directive, both network-based credentialed scans and client- or agent-based vulnerability detection methods are viewed as meeting this requirement).
• All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
• Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.
• All alternative asset discovery and vulnerability enumeration methods (e.g., for systems with specialized equipment or those unable to utilize privileged credentials) must be approved by CISA.

1. 1. Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion (or the initiation of a new discovery cycle if the previous full discovery has not been completed).
   2. Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.

• CISA understands that in some instances agencies may not be able to complete a full vulnerability discovery on the entire enterprise within this period. It is still necessary to initiate the enumeration process within this time period as any available results will provide CISA and agencies situational awareness in response to imminent threats.”

So where does that leave us?

Federal or Enterprise, we all need to renew our efforts to understand and document the DETAIL of what we are betting our very existence upon and make it more manageable, more defendable, and more secure. The digital infrastructure that we all know is powering our real work has become significantly tactical, greatly under-managed, and under-documented and the confidence in its ability to withstand stress (cyber or operational) continues to decline.

NetBrain realized this same scenario now called out in the BOD and delivers the ability to automatically discover the network on a continual basis, and when combined with our overlay of the actually desired behaviors (we call them network intents), can assure that the network is delivering the connectivity, performance and security controls in real-time needed to comply with the CISA mandate.