OMB Orders Agencies to Automate and Inventory IoT Risks

Typically, the federal information security and privacy management guidance is a quiet annual memo reserved, even within the Federal community, to the wonkiest cadre of IT security managers. But the stakes have changed, the threats are coming through trusted software, via mission critical cloud services, and through assets no one thought to watch or even knew were connected to the network. Accordingly, the Office of Management and Budget (OMB) shakes things up in the FY24 FISMA Guidance (M-24-04) by getting back to basics in the most modern way possible. The guidance reiterates the criticality of the most fundamental of cybersecurity practices and establishes clear expectations for federal CIOs and CISOs for FY24 and the future. OMB requires agency CIOs and CISOs to not only underpin their Zero Trust journey by engaging more deeply with the CDM program, but also to inventory IoT devices in alignment with BOD 23-01. This is what takes this latest FISMA guidance from wonky to wonderful — a comprehensive focus aligned with the modern threat.

Known Challenges are Only the Tip of the Iceberg: Attack Surface Continues to Expand

Connected assets, including IoT devices, cloud, IT, 5G, building management systems (BMS) and beyond are key points of entry that are often targeted by cybercriminals, as these assets are typically undermanaged or totally unmanaged. In fact, Armis recently found that on an average business day, over 55,000 physical and virtual assets are connected to an organization’s network, of which only 60% of these assets are monitored. Additionally, Armis research shows that IoT devices see twice the volume of cyberattacks as IT devices and the number of non-IT/mobile assets is expected to triple by 2025. Without a focus on these below the surface devices, outages like we’ve seen at Toyota, Port of London, Colonial Pipeline, and JBS meatpacking will become more common.

FY24 FISMA Requirements Step by Step: Inventory is the Foundation

In M-24-04, OMB recognizes IoT as a critical risk and significant gap in the Federal government. The guidance begins by reiterating the Administration’s focus on modernizing Federal enterprise and addressing threats “both inside and outside traditional network boundaries.” The National Cybersecurity Strategy set clear goals for modernizing the Federal information technology via Zero Trust principles and the memo contains one of the most striking restatements of this approach:

“The Federal Government no longer considers any Federal system or network to be “trusted” unless that confidence is justified by clear data; this means internal traffic and data must be considered at risk.”

In the memo, OMB continues to push agencies to increase the scope of their oversight, improve the quality of their information, and increase the velocity of their inspections. It asserts that to truly secure the networks and systems delivering life-saving and critical services to the nation, CIOs and CISOs must have comprehensive and flexible visibility into all devices on their network. They must establish an automated inventory of hardware, software and firmware running these services. They must maintain this inventory in real time, and they must be able to integrate this information into their risk management and incident response processes. Indeed, the memo underscores a trustworthy inventory as the only way to ensure thin budgets are properly applied to areas of greatest risk.

How Armis Can Help

Armis can help CIOs and CISOs win the battle by leveraging your existing toolset and combining that with our proven experience in identifying and classifying non-standard IoT and OT equipment. Armis got its start in the world of IoT/OT where standard IT inventory and vulnerability management practices are almost as dangerous as hackers. Scanning SCADA equipment can shut down water purification for an entire city, fingerprinting MRI machines or Infusion pumps can delay life saving care.

Armis Centrix™, the cyber exposure management platform, allows agencies to passively identify, classify and map the make, model, firmware and location of every OT device on a network is continually rated the best in the industry. Our Asset Intelligence Engine leverages our world-wide experience and visibility into billions of assets to ensure Federal agencies can meet and exceed the IoT expectations. Couple this with Armis’ ability to collect data from standard IT tools via API and you can quickly see how our comprehensive and consolidated inventory capability is the trusted scaffolding of your converged risk management program.

FY24 FISMA Requirements Step by Step: The IG Metrics

The foundation of FISMA reporting is the Inspector General metrics. These are established every two years in collaboration with the CIO Council to drive Federal improvements in alignment with Administration priorities. Out of the 20 metrics assessed by the IG for FY23 and FY24, Armis can deliver solutions for six and automate or enable another ten. Armis can help CISOs improve their FISMA score by affecting the outcome for 80% of the measured goals.

FY24 FISMA Requirements Step by Step: Modernize with Zero Trust

OMB places significant expectations on Zero Trust — it continues to be the framework OMB expects agencies to implement and modernize toward. Armis can assist Agencies in planning and implementing the goals of EO 14028 and M-22-09.

• Armis can help agencies improve planning and prioritization by mapping assets to security tools and providing real data on the effectiveness of your current security stack and highlight gaps and duplicative coverage.
• Armis can track and report on the scope and quality of critical cybersecurity deployments and ensure it aligns with your cyber goals.
• Armis can use its comprehensive view into your asset risk status to integrate, automate and improve your real-time network access control and network segmentation efforts.

FY24 FISMA Requirements Step by Step: Engage CDM

In section I of M-24-04, OMB requires agencies to increase coordination with and visibility of CDM capabilities:

• Armis supports CDM data flow and is an easier, more modern tool for consolidating and reporting on hardware assets, installed software, vulnerabilities, and configurations.
• Armis delivers real-time asset data and automated reporting, and can modernize and simplify your layer B deployment.
• Armis allows Agencies to leverage data from existing tools and provide simple, standardized reports of your current risk posture to operators, executives, and CISA.
• Armis can support asset discovery to ensure you not only manage the devices you know about, but also discover everything you didn’t know was on your network.
• With Armis, Agencies can achieve the BOD-23-01 and M-24-04 requirements of managing and reporting on every device connected to the network.

FY24 FISMA Requirements Step by Step: Inventory IoT Risk

In section II, OMB is upping the ante by focusing on Internet of Things. Clearly OMB and CISA are driving federal agencies to include IoT and OT assets into the IT risk portfolio, and outyears will see more prescriptive actions. This has been communicated clearly in BOD-23-01 and included as a focus of the National Cybersecurity Strategy and reiterated in stages in the FY2023 and FY2024 FISMA Guidance. Agencies must expect that the integration of IoT and IT is now a foundational capability all CIOs and CISOs have in their portfolio. For NIST, OT is a subset of IoT. Examples include industrial control systems, building management systems, fire control systems and physical access control mechanisms. Every agency has these in their environment, and many have even more specialized medical and research equipment.

Manage Your IoT/OT Risk with Armis

Discovering and managing IoT/OT risk is where Armis started. A converged IT and IoT risk is what we’ve matured into. Through targeted integrations and by passively collecting network metadata, Armis can identify billions of individual device types. We categorize assets by type and usage and provide detailed make, model and firmware data. Armis allows agencies to locate devices physically in their environment and group devices into rational boundaries where they can apply impact assessments and tag them with owners for speeding response. Armis leverages collectors for gathering network telemetry and for API-based integrations with on-site tools.

These are physical or virtual devices that can leverage span or taps collecting network metadata, and an ethernet port for integrations and connectivity to cloud tenants. For agencies with an existing investment in network observability solutions implementation is even easier. As a cloud-first SaaS, Armis can deliver IT and IoT risk management to the largest, most federated environments quickly and easily. Armis’ architecture means large, federated environments can delegate operations and control over IT and IoT risk assessments to those closest to the mission, while roll-up and reporting is available to headquarters and those responsible for aggregating to CISA, OMB and the IG.

With Armis, you can meet and exceed OMB’s goal of establishing an enterprise-wide inventory of IoT assets by the end of FY 24:

Asset Identification: All devices and systems that meet the provided definition of covered IoT assets.	Armis asset identification is over 99% accurate. Armis deduplicates from multiple sources ensuring you have the most accurate and comprehensive list assets on your network and enhances this capability with native network analysis.
Asset Description: Including make, model and any relevant specifications or configurations. Each asset should have a unique identifier, such as a serial or asset tag, to distinguish it from other assets.	Armis identification includes make, model, and serial number. Every asset in the Armis database is identified with a unique id.
Asset Categorization: Factor in the device’s function, location, and criticality. Include the following information:	Armis goes beyond simple identification and classifies devices by function. Armis knows if a tablet is part of an MRI system or used as a nursing station. Armis’ Asset intelligence engine uses Machine Learning to classify devices not only by how they appear on the network, but also by how they behave.
Identification and/or description of specific agency FISMA and HVA systems associated with the asset; and	Armis allows the use of boundaries and tags which can be used to group devices into a collection supporting a FISMA system. Boundaries also accept risk categorizations such as High, Medium, Low and these classifications are used as part of the Armis Vulnerability Prioritization and Remediation application.
The physical location of the asset (e.g., building, floor, or room number).	Physical location or sites are integral to how Armis tracks assets.
Owner/Point of contact: The individual or office responsible for the asset’s management, administration, maintenance, and security.	Armis allows you to tag devices with custom Owner data allowing agencies to extend our data for us within their own response and business processes.
Vendor/Manufacturer Information: Details about the vendor or manufacturer (e.g., contact information and support channels.)	Armis collects and reports on the vendor for every hardware, software, and firmware on your network.
Software and Firmware Versions: Where available, record the installed software and firmware versions, including relevant patches or updates applied to the asset.	Armis collects and normalizes the full inventory of software and firmware running on every device it discovers. The Armis Asset Intelligence is our secret solution..
Network Connectivity, Integrations and API Information: Include any static IP addresses and interconnective communication with other devices (e.g., uncommon ports, protocols).	Not only can Armis collect IPv4 and IPv6 addressing, as well as identify what protocols IT and IoT devices are running, but Armis can also visually map the relationships and communications between devices.
Security Controls: Describe alignment to requirements and controls, such as NIST SP 800-213, SP 800-82, SP 800-53, and other standards and protocols.	Armis implements value packages to organize your data into audit-specific views such as CSF, NIST 800-53, etc.

 

A Fully Realized Inventory Enables All Parts of the Organization

A trustworthy inventory is critical. A comprehensive and trustworthy inventory maintained in real time is game changing. Having the ability to apply mission context and risk to this inventory, and automate cyber actions through clear, policy-based triggers is absolutely next level. Armis not only lets agencies collect, classify, and track assets, but supports risk profiling for every asset.

Imagine doing away with data calls and spreadsheets. Imagine operations, cyber, audit and policy all leveraging the same consolidated dataset. Imagine that this data set is built and deduplicated from their own tools and resources. Imagine including IoT system owners and operators in this process non-disruptively. Imagine all these organizations collaborating on risk and priority discussions leveraging a prioritized list of systems and assets they recognize, trust, and agree on. True, FISMA aligned risk management over IoT and IT is what Armis can deliver to Federal agencies. Regardless of size. Not in a year, but in weeks.