New CISA Directive Reiterates Need for Cyber Modernization

A recent Biden Administration cyber directive highlighted hundreds of known exploited vulnerabilities that carry significant risk to U.S. federal information systems. The directive gave agencies until 2 January 2022 to review and update internal vulnerability management procedures and resolve the vulnerabilities.

The Binding Operational Directive, released by the Cybersecurity and Infrastructure Security Agency (CISA) in November, mandated that U.S. federal government agencies must patch known vulnerabilities from 2021 within two weeks and improve efforts to protect against cyber threats and attacks from infiltrating the federal enterprise.

Although agencies worked to meet these federal standards within the required timeframe, vulnerability gaps will persist, as shown in the vulnerability of the widely used Java logging library system, Log4j, a month later. This incident is a critical reminder of the importance of comprehensive endpoint visibility and control.

We cannot adequately predict where the next vulnerability will present itself, so agencies must be empowered to perform ad-hoc searches in addition to maintaining effective cyber hygiene. Agencies that have these basics in place before an incident occurs are in a better position to prevent damage being done or minimize its impact.

Mission partners play an important role in helping federal agencies assess risk.

Now that the deadline to review and update internal vulnerability management procedures has passed, agencies will lean on their private sector mission partners to continue to assess and resolve risks as they arise—and the government contracting community must likewise take the same steps within their own organizations.

“We’ve seen directives like this before, and we will likely see them in the future,” said Ash Carter, director of the Belfer Center for Science and International Affairs at Harvard Kennedy School and former U.S. secretary of defense in a statement. “Often, IT and security administrators will scramble to combine data sets across teams and locations—compressing months of work into hours and resulting in inaccurate and unreliable data. It’s critical that organizations develop the capacity to nimbly and accurately respond to requests like this without it being a fire drill so that they can always meet mission objectives, let alone CISA’s guidance.”

One key to success is finding ways to improve threat visibility with a comprehensive picture of everything on the network—including using automation, as the needed level of visibility is otherwise impossible.

The time to act on our cybersecurity processes is now.

Mission partners play an important role in helping federal agencies assess risk (particularly known vulnerabilities) and identifying their high-value assets—and taking these same steps within their own organizations.
“Organizations of all sizes are constantly under attack and need to measurably reduce their risk exposure. The overwhelming majority of that exposure comes from known vulnerabilities,” said Anthony Belfiore, chief security officer at Aon, in a statement. “The ability to find and fix vulnerabilities in real-time is increasingly critical as exploits are being developed and weaponized more quickly than ever before.”
So, what can organizations do to safeguard data and combat potential threats?

Data is being created, collected, and stored every second. Each new artifact adds to the ever-growing store of intellectual property and personal information that must be secured and monitored. As a result, IT teams have more data than ever before subject to an increasingly stringent patchwork of regulations and business requirements.

And with this urgency on securing federal networks, companies should look at this Binding Operational Directive as applicable to all—regardless of sector.
The time to act on our cybersecurity processes is now. Here are a few things federal mission partners and agencies alike can do to improve their cyber defenses:

• Adopt zero trust architecture and/or a multifactor authentication security model.
  
  
• Conduct tool rationalization and other holistic security risk assessments to ensure a strong cyber roadmap and strategy.
  
  
• Integrate security and operations teams on a single platform.
  Implement data loss prevention technologies.
  
  
• Invest in workforce and skills development to further infrastructure enhancements.

Overall, IT teams need an endpoint management and security platform that empowers them with the comprehensive real-time visibility and control needed to make critical decisions and take the action, right now. By following a holistic risk management approach, companies can save time and money and align resources while working to protect personal and sensitive data.

“Organizations need a solution that will query their environment for real-time results, and that allows taking immediate action to patch any vulnerabilities they discover in minutes—not weeks,” said U.S. Air Force Lt. Gen. (Ret.) William Bender, SVP, Strategic Accounts and Government Relations, Leidos, in a statement.

“Essentially, they need a platform that bridges the gap between security and operations and provides a unified view of all endpoints across their enterprise,” Bender said.

The Binding Operational Directive laid out the steps for agencies to close the vulnerability gaps within their enterprise—but to fully achieve this goal, federal IT teams should team up with the private sector to implement cyber tools that enable these protections.

Organizations can’t lean too heavily on traditional vulnerability management tools for finding vulnerabilities like Log4j and those on CISA’s watchlist. To minimize threats, agencies need extensible solutions that analyze configuration strings within files.

Matt Marsden is vice president, Technical Account Management, Federal, Tanium. Marsden is a career cyber professional with more than 24 years of experience working with the federal government. He began his federal service in the United States Navy supporting submarine operations afloat and transitioned to civil service where he supported the U.S. Department of Defense and Intelligence Communities prior to joining Tanium.