CISA Addresses Lack of Threat Visibility and Associated Vulnerabilities

It’s official – the U.S. Government needs to improve its asset visibility and vulnerability detection on federal networks. CISA stated this in its Binding Operational Directive (BOD) 23-01, released on 10/3/22.

Specifically, BOD 23-01 requires all Federal Civilian Executive Branch (FCEB) agencies to begin performing automated asset discovery every seven days. This discovery must at a minimum include the entire IPv4/IPv6 space used by the agency. Agencies must also initiate vulnerability enumeration across all discovered assets every 14 days.

Additionally, within six months of CISA publishing its vulnerability enumeration data requirements, all FCEB agencies will begin reporting their vulnerability enumeration performance data to the CDM Dashboard. Finally, by the Directive deadline of April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts.

This Directive is an important step forward that will strengthen government cybersecurity. The integration into CDM is important because CDM DEFEND will be a significant programmatic and contractual mechanism for addressing improved asset visibility. The new Directive outlines foundational work that must be done. However, staying ahead of attacks is becoming increasingly difficult given the rapid proliferation of unmanaged – IT, OT, IoT and IoMT – assets on federal networks.

BOD 23-01 includes this powerful statement: “Since we cannot mitigate risks we cannot see, we will actively hunt for cyber threats and engage the cybersecurity community to drive disclosure and mitigation of critical vulnerabilities.” At Armis, we could not agree more! Due to the explosion of end-points in the past few years, many federal agencies are experiencing a “visibility gap” where IT security leaders can’t see all the vulnerable assets on their networks – let alone enumerate the vulnerabilities.

The challenge is that legacy security tools can only see managed – not unmanaged – devices on the network. These unmanaged devices are a gigantic blind spot in federal network protection. To make matters worse, nation-states are now actively targeting unmanaged IoT/OT devices. Coupled with rising tensions between Russia and the rest of the world, this leaves U.S. critical infrastructure under increased threat of cyberattacks.

Traditional end-point detection and response (EDR) systems don’t work on unmanaged devices because they can’t accommodate security agents. Almost always there are also a small number of managed devices that are not under management of a customer EDR solution, and these systems are in jeopardy of falling through the cracks as well. These unseen devices don’t generate logs, and scanning them with a network scanner is dangerous. Agencies need an agentless EDR security platform that can solve this problem by covering the gaps left by legacy, agent-based solutions.

The Armis Platform is entirely agentless, providing 100 percent asset visibility. Armis also continuously monitors the state and behavior of all devices on a network for indicators of attack. When a device operates outside of its known-good profile, Armis issues an alert or triggers automated actions. The alert can be caused by a misconfiguration, a policy violation, or abnormal behavior such as inappropriate connection requests or unusual software running on a device.

I’ve seen how impactful it is when this additional visibility into unmanaged assets is “switched on.” When the CDM program upgraded to a new dashboard configuration that implemented Elasticsearch technology, thousands of hitherto unseen assets and vulnerabilities were suddenly visible on federal networks.

The agentless Armis platform not only adds visibility but also simplifies and speeds deployment. It can quickly be integrated into whatever security systems an agency already has in place. And it is also totally passive so that it won’t disrupt the operations of devices. Automated enforcement is immediate and continuous because the discovery of assets and identification of issues works in real time.

With each new initiative over the past few years, the Government has continued to lay the groundwork for the continuous monitoring of federal computer systems and improved mitigation of vulnerabilities discovered. At Armis we applaud these moves and will support our federal clients with compliance. We can help an agency meet the requirements of BOD 23-01 almost immediately.

That said, a comprehensive cybersecurity posture across an entire agency requires accounting for all managed and unmanaged assets. Agencies must achieve a consolidated view of their risk posture. Helping clients get there continues to be the mission at Armis.