CISA Releases A Binding Operational Directive To Improve Asset Visibility & Vulnerability Detection On Federal Networks

Yesterday, The CISA or Cybersecurity Infrastructure Security Agency released a Government Binding Operational Directive (BOD), aiming to improve asset visibility and vulnerability detection on federal networks. The mandate directs agencies to perform automated asset discovery every seven days, and to identify and report suspected vulnerabilities on those assets every 14 days. Here’s what a binding operational directive means:

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C.§ 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Is this a good thing or a waste of time? To answer that question, I have gathered some commentary from three experts in the space.

Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel’s intelligence corps. Here’s what he had to say:

It will require a critical look at current tools and strategies and, in many agencies and organizations, an investment in dollars to update technology and processes. Agencies need the right tools for vulnerability detection and prioritization, and they need automated technology for remediation of those vulnerabilities so that they can be focused on more mission-critical objectives. Critical infrastructure in particular often operates with older, legacy technologies that cannot properly defend against modern day threats. With tight budgets, federal agencies and critical infrastructure organizations will need to do some reevaluation of where their time and dollars are allocated if they want to truly be able to manage risk today.

Going back to my comment about legacy technology, government agencies and critical infrastructure organizations are often behind when it comes to the tools they are using. But this establishes baseline requirements for agencies to use in identifying assets and vulnerabilities, and in order to accomplish that these types of organizations will need to invest in creating and using a Software Bill of Materials (SBOM) with dynamic capabilities so that they can see real-time changes in their assets. And they need to combine the SBOM and VEX and get  the actual risk present in their environment. VEX is a machine-readable artifact that tells you which vulnerable components in an environment are actually exploitable. The objective of the VEX is to provide information for organizations to use and prioritize their remediation efforts. This contextualization is provided by the software vendor with a machine-readable artifact with justification values of why a particular component is not affected by a specific vulnerability and therefore not exploitable. Organizations should use a Dynamic SBOM that combines a real-time SBOM and the VEX. 

Next is Danielle Jablanski is a nonresident fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and an OT cybersecurity strategist at Nozomi Networks:

There is a constant drum beat of industry experts reflecting on government guidance, standards, and recommendations for cybersecurity that stipulates the federal government must do more to walk the walk on building resilience within federal systems and federal technologies before mandating industries to do better. This directive is a step in exactly that direction.

Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be both opportunistic, highly tailored, or a mixture of both.

The directive is crucial for two reasons. First, if network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality.

Second, vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.

The highly anticipated CISA cross-sector cyber performance goals (CPGs) are another step in the right direction, to help owners and operators of critical infrastructure  prioritize and implement the NIST cyber security framework.

It will also provide a benchmark or starting point for industry to self-evaluate their own cybersecurity practices and program maturity, prioritizing based on technology scope, costs, impact, and complexity.

Finally I have a comment from Ron Brash, VP Technical Research & Integrations at aDolus. He is a household name when it comes to ICS/OT cybersecurity and embedded vulnerability research:

This is stating the obvious, but the #1 resource that civilian agencies will need to be able to comply with the CISA directive is a solid deployment plan and enough staff (or contractors) to enact that plan. Assuming that is in place (a big assumption), the agencies will need to purchase and deploy the tools that can perform regular automated asset discovery scans and interpret the results from these scans. The initial effort to do this is never trivial, as building an accurate IT asset list almost always requires a lot of gumshoeing to correlate the results reported by the tools with what is actually in place. That said, it is a worthwhile endeavor as if you don’t know what you are actually trying to protect, it is hard to protect it. Plus, once the basics are done, it is much easier to keep your assets list up to date.

The real challenge will be the requirement to perform vulnerability scans “across all discovered assets, including all nomadic/roaming devices (e.g., laptops), every 14 days.” Again there are lots of tools available, but they tend to be focused on IT assets, not OT or IoT assets. As a result, agencies will likely run into a “Pareto Problem” — common IT assets like servers and workstations (the 80%) will be easy (20% effort), but then all the remaining non-traditional assets will take 80% of the effort. With the explosion in both OT and IoT products in the last decade, few agencies will escape this pain: think security cameras, badge readers, HVAC systems, and even soft drink machines as connected devices that will take a lot of effort to scan safely and reliably. Agencies with OT assets (such as air, water, or land monitoring and management) will have an even tougher time. 

This publication is a first step towards enforcing cybersecurity vigilance on connected assets. Even though software supply chain security and SBOMs are a core portion of Executive Order 14028, they are only mentioned in the background section in this guidance. In fact the Q&A section is telling: “Q: Why does the directive reference the software bill of materials (SBOM) in the Background section but not in subsequent sections?

A: SBOM is mentioned in the introduction to convey the Administration’s vision and describe our desired state in the long term. The directive focuses on very specific first steps that can be achieved within the next 6-12 months and are prerequisites for broader adoption of SBOM. Without comprehensive asset management, agencies will be unable to effectively use SBOMs to manage risk posed by asset components or libraries.“

SBOMs will require new tools to take advantage of all the new security capabilities they offer. They are also likely to expose a tsunami of previously unknown (but dangerous) vulnerabilities that will need immediate attention by staff. Those responsible for complying with this Operational Directive are getting an early warning from CISA: “SBOMs are becoming a mandatory security requirement in the next year so get your house in order now.”

So it sounds like that all of these experts agree that this is a step in the right direction. But it’s a step as part of a longer journey that hopefully will make us all safer as a result.

Leave a Reply

%d bloggers like this: