The US cyber security authority CISA has issued a binding directive. According to the law, all federal agencies must regularly examine their networks.
The US cyber security authority CISA wants to achieve better network security in the federal authorities of the country. To this end, it has issued a directive that requires the US federal authorities to regularly inventory their networks every six months and examine the connected systems for weaknesses.
CISA explains that the continuous and comprehensive device overview is a basic requirement for the risk management of any organization. The aim of the directive is to get a better overview of devices in government networks and the associated vulnerabilities. The order applies to civil federal agency and federal government systems.
Concentration on essential key points
The focus is on the areas of device detection and vulnerability analysis, it said. CISA does not prescribe any specific tools or applications. However, government agencies can seek help from CISA. CISA then offers technical and programmatic support to close gaps, optimize the scan and finally implement the measures required by the guideline.
The inventory of devices and vulnerabilities can be done in different ways, for example through active scanning, passive monitoring of data streams, querying logs or – in the case of software-defined infrastructures – API queries. The existing CDM implementations (Continuous Diagnostics and Mitigation) of numerous authorities already use such means to achieve the desired transparency.
The visibility of devices is not an end in itself, but necessary for updates, configuration management and other security and lifecycle management activities to reduce cyber security risk. It is also the basis for actions that are urgently required, such as the elimination of vulnerabilities.
catalog of requirements
The cyber security authority CISA has listed the requirements for the authorities bound by instructions in its directive. By April 3, 2023, all authorities must have carried out certain actions or developed certain skills on all federal information systems.
You should perform an automatic device scan every seven days. This can be done using a variety of methods and techniques, but the analysis must at least cover the entire IPv4 area of ​​the agency. Initiating a vulnerability scan across all detected devices, including mobile devices such as laptops, is due every 14 days. Wherever possible, vulnerability scans should be performed on privileged access devices such as servers, workstations, desktops, laptops, routers, switches, firewalls, and so on.
The signatures of the vulnerability scanner must not be older than 24 hours at the time of the scan. Wherever the capabilities are available, vulnerabilities should also be made in the same way on Android and iOS and other devices that are located outside the authority network. Alternative inventory and vulnerability assessment methods must be approved by CISA.
The authorities must transfer the results of the vulnerability checks to the CDM Agency Dashboard no later than 72 hours after the scan has been completed, or initiate a new analysis run if the previous one has not been completed. In addition, authorities must provide the ability to initiate an inventory and vulnerability assessment run upon request to identify specific devices or vulnerabilities within 72 hours of receiving a request from CISA and to submit the results within seven days of the request.
CISA recognizes that in some cases regulators are unable to provide a full vulnerability scan across the organization in this timeframe. However, it is necessary to start the analysis process during this period, as any available results provided CISA and the authorities with situational insights regarding imminent threats.
CISA also expressly recommends such scans and practices to IT managers who are not bound by instructions. They should review the directive and implement and update the proposed standards. This ensures that the organization’s cyber resilience is strengthened through device management and vulnerability detection.
