[ad_1]
“Organizations often don’t know what they have across their infrastructure… That lack of a clear perception of their asset topology leaves them vulnerable to all types of risk.”
While the CDM program is leveraged by several agencies, including the Department of Veteran Affairs, Small Business Administration and Department of Health and Human Services, CISA’s new BOD takes the intent here a step further by requiring all federal agencies to take specific steps around asset discovery and vulnerability enumeration by specific dates.
By April 3, for instance, all agencies must set up the appropriate processes to perform an automated asset discovery every seven days, and vulnerability enumeration across all these discovered assets every 14 days. The reporting of this data is also a key component of the directive, as CISA hopes to get a fuller picture of the entirety of the U.S. government’s security standing by better measuring the assets and associated flaws across the agencies’ infrastructure. Agencies are required to record their vulnerability enumeration in the CDM agency dashboard, and collect and report performance data.
Jonathan Reiber, vice president for Cybersecurity Strategy and Policy at AttackIQ, said the directive is a good requirement for agencies to better understand their assets and represents one of the key building blocks of the Biden administration’s Executive Order strategy from last year.
“In general, I’m very supportive of organizations conducting continuous assessments of the assets they have in their inventory,” he said. “Organizations often don’t know what they have across their infrastructure… That lack of a clear perception of their asset topology leaves them vulnerable to all types of risk.”
As has been the case with other BODs – which are security related requirements for federal and executive branch agencies issued by the government – CISA hopes that this most recent directive will set precedence for private sector entities to follow as well, though it’s not required for them. Under a BOD last year where CISA developed a catalog of known, exploited vulnerabilities that federal agencies must address, for instance, the agency made the catalog public in hopes that private entity firms would apply patches as well.
“While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks,” said Easterly. “We all have a role to play in building a more cyber resilient nation.”
[ad_2]
Source link