CISA Sets Deadlines for Agency Cybersecurity Vulnerability Detection Efforts

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) that directs federal civilian agencies to better account for what resides on their networks. BOD 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks.

The latest CISA directive continues to address Endpoint Detection and Response (EDR) and Continuous Diagnostics and Mitigation (CDM) program elements of the 2021 White House Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

According to the CISA announcement, the new BOD “takes the next step by establishing baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.”

Required Agency Actions

By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems (emphasis added):

• Perform automated asset discovery every 7 days covering the agency’s entire Internet Protocol, version 4 (IPv4) space, at the minimum.
• Initiate vulnerability discovery and enumeration across all discovered assets in the enterprise every 14 days, including all roaming devices (e.g., laptops, mobile devices, etc.). For agencies where this process may not complete in 14 days, they are to scan at regular intervals to ensure all systems are scanned within this window. Vulnerability cans must be conducted with privileged credentials when possible. All vulnerability detection signatures must be updated within 24 hours of release by vendors.
• Initiate automated ingestion of detected vulnerability enumeration results into the CDM Agency Dashboard within 72 hours of discovery completion.
• Develop and maintain the capability to initiate on-demand asset discovery and vulnerability enumeration within 72 hours of request from CISA and provide the results within 7 days.

CDM Program Updates

CISA will work with agencies to integrate vulnerability data into the CDM Dashboard to automate oversight and monitoring of agency scanning performance through the following actions (emphasis added):

• CISA will publish data requirements for agencies to provide machine-level vulnerability enumeration performance data by April 3, 2023.
• Agencies will then have 6 months to initiate the collection and reporting of vulnerability enumeration performance data to the CDM Dashboard.
• The CDM program will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts by April 3, 2023.  

Reporting Requirements

Agencies are required to report to CISA in six-month intervals on their progress and work with CISA to resolve impediments to meeting the requirements. Further, CISA will report quarterly progress to the Office of Management and Budget (OMB) and annually to the Homeland Security Secretary, the National Cyber Director and OMB on the on the cross-agency status, agency performance indicators, and outstanding implementation issues.

CISA included an Implementation Guidance document to answer the most common questions asked by federal agencies as they implement the new BOD.

Implications

CISA acknowledges the role that technology and practices play in achieving the objectives. Throughout the directive, CISA notes that meeting requirements may be accomplished through “many methods and technologies,” or that some elements may be achieved “where available technologies support it” or “where technically feasible.” CISA also pledges to “provide technical and program assistance” to agencies upon request to help them achieve success.

This all points to potential challenges and opportunities where agencies may benefit from innovative methodologies, new technology solutions and support services from their industry partners.