Earlier this month, the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive applies to all Federal Civilian Executive Branch systems and the agencies operating those systems. CISA states that their directive is an effort to make more measurable progress toward enhancing visibility into agency assets and associated vulnerabilities. It also comes on the heels of the recent White House proclamation on Cybersecurity Awareness Month.
The measure is a significant move toward improving the federal government’s cybersecurity posture, and here at Censys, we’re in full support.
The directive acknowledges what we’ve long known to be true – that “continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.” The NIST Cybersecurity Framework lists ‘Identify’ as the first step in securing any organization, for without proper identification of owned assets, it’s impossible to ascertain priority of said assets to the organization’s mission/purpose. Attack Surface Management is the effort that allows for this “continuous” asset visibility. Security teams need to operate with a full understanding of their entire external attack surface, which includes assets the team may not be aware of.
Taking action with Attack Surface Management
By April 3, 2023, affected federal agencies and systems will need to perform an automated asset discovery every 7 days. Discovery must cover all IPv4-based assets. While CISA’s directive doesn’t dictate the specific asset discovery tools to be used, to meet the requirement agencies will benefit from continuous, comprehensive scanning that can also provide context via attribution and risk annotation. In doing so, agencies can both identify unknown assets in real time and make sense of what they’ve found with the help of a tool’s attribution algorithm. Having an accurate discovery process saves significant time and resources for overburdened technical staff who would otherwise need to manually scan for assets using the same unmodified methodologies. With an automated scan algorithm, real-time data that covers all 65K+ports across 99% of the IPv4 space is enriched daily, in a matter of minutes.
The Censys Attack Surface Management Platform offers the end-to-end, continuous asset discovery of the entire IPv4 space that can help agencies meet the directive’s requirement. In fact, a recent report from GreyNoise found that Censys had significantly faster and more robust scanning capabilities than any other internet-wide scanning tool.
Censys’s Attack Surface Management Platform can help agencies achieve their mission faster, with fewer people. For example, with just a limited amount of seeds input, the platform can discover 80% of an unknown attack surface, with daily refreshes. Additionally, the platform’s ability to “click to rescan” is a quick, technical way to verify configuration remediations.
Considering vulnerability enumeration and integrations
To meet the directive’s second requirement, agencies will need to initiate vulnerability enumeration across all discovered assets, including all nomadic/roaming assets (like laptops). This means running scans on targeted assets to identify vulnerabilities every 14 days, per the directive. ASM platforms can serve as logical complements to vulnerability management tools. Censys ASM’s asset discovery and monitoring can help agencies better identify which assets to target (importantly, by discovering unknown assets that should be scanned for vulnerabilities) and flag potential risks. Censys ASM’s Rapid Response capabilities eliminate a customer’s need to maintain their own vulnerability catalog, or worry about whether it’s been updated with the latest zero-day or hair-on-fire CVE. Customers simply have to search software issues on the platform; Censys takes care of automating the process so that customers can triage remediation and patching.
When assessing new tools, agencies will also want to consider integration capabilities. Will your attack surface management platform be able to talk to your vulnerability management tool? Integrations can make gaining a holistic view of your security status as easy as possible – which is especially important given CISA’s reporting requirements and timelines.
Looking beyond federal implications
The new CISA directive may be an operational requirement for certain federal agencies, but the principles behind the directive are relevant to organizations across industries. Gaining a clear, comprehensive picture of your external attack surface – and seeing what potential attackers see – is essential for effective, proactive cybersecurity.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.” – CISA.gov
You can find more information about all of BOD 23-01’s requirements on CISA’s website.
Check out Censys for Federal to learn more about how Censys supports Federal agencies’ cybersecurity efforts.