Uncle Sam orders federal agencies to step up scans for govt IT security holes

The US government's Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies to scan for and report software vulnerabilities in their IT systems more frequently under a directive issued this week.

Specifically, the agencies have until April 3, 2023 to automate IT asset discovery every seven days. Per the directive, they can use the method and automation technology of their choice, but at minimum these searches must cover the agencies' entire IPv4 space.

Additionally, these federal organizations must, "to the maximum extent possible," scan for vulnerabilities across all of their assets, including mobile and roaming devices such as phones and laptops, every 14 days. 

They are also required to update all vulnerability detection signatures "at an interval no greater than 24 hours from the last vendor-released signature update." CISA, meanwhile, now has six months to publish details on how exactly agencies should format their scan reports.

(Hopefully in that time CISA will be able to make clear whether agencies should scan for known security bugs or any potential vulnerabilities in deployed software – for now, we presume federal IT staff are expected to scan for known, disclosed flaws.)

Once CISA has published these report requirements, the agencies must, at regular intervals, upload these results of their vulnerability scans to a central continuous diagnostics and mitigation (CDM) dashboard. "This data will allow for CISA to automate oversight and monitoring of agency scanning performance including the measurement of scanning cadence, rigor, and completeness," according to the directive.

In a statement about the directive, CISA cited the SolarWinds supply chain attack as one of the reasons why federal agencies need better visibility across their networks.

"Threat actors continue to target our nation's critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets," CISA Director Jen Easterly said in a statement. 

"Knowing what's on your network is the first step for any organization to reduce risk," she added. "While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks."

For federal agencies — or any organization wanting a more comprehensive view of threats across their infrastructure — this may mean investing in updated technology and processes to automate detection and vulnerability remediation, according to Liran Tancman, the co-founder of vulnerability management biz Rezilion.

"Critical infrastructure in particular often operates with older, legacy technologies that cannot properly defend against modern day threats," Tancman told The Register. "With tight budgets, federal agencies and critical infrastructure organizations will need to do some reevaluation of where their time and dollars are allocated if they want to truly be able to manage risk today."

He suggests using a Software Bill of Materials (SBOM) with dynamic capabilities so agencies can see real-time changes in their assets. An SBOM, combined with a Vulnerability Exploitability eXchange or VEX (PDF), provides a picture of actual risk in an organization's environment, Tancman said.

"The objective of the VEX is to provide information for organizations to use and prioritize their remediation efforts," he explained. "This contextualization is provided by the software vendor with a machine-readable artifact with justification values of why a particular component is not affected by a specific vulnerability and therefore not exploitable."

• White House to tech world: Promise you'll write secure code – or Feds won't use it
• National Cybersecurity Awareness program 18 years on: Don't click that
• The truth about that draft law banning Uncle Sam buying insecure software
• Homeland Security warns: Expect Log4j risks for 'a decade or longer'

The directive is part of a broader US government-led effort to shore up America's cybersecurity posture, which has been a constant drumbeat during the Biden Administration. 

It also comes at the beginning of National Cybersecurity Awareness Month (NSCAM), which is in its 18th year. "Both the public and private sectors have a role to play in strengthening cybersecurity," President Joe Biden said in a statement to kick off NSCAM.

In a similar vein, both federal and private-sector organizations can better protect their IT systems by following the guidance in CISA's directive, according to Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.

"The directive is crucial for two reasons," Jablanski told The Register. "First, if network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality."

"Second, vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment," she continued, adding that the federal government's example on how to build resiliency is a "step in the right direction." ®