Security News > 2022 > October > CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumeration

A new directive issued by the Cybersecurity and Infrastructure Security Agency is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks.

"Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices," the agency explained the impetus for the Binding Operational Directive 23-01.

Initiate vulnerability enumeration across all discovered assets, including "Roaming" devices, every 14 days.

Develop and maintain the capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities, when requested to do so by CISA. A step in the right direction.

"Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies' existing Continuous Diagnostics and Mitigation implementations leverage such means to make progress toward intended levels of visibility," CISA added.

CISA Director Jen Easterly also added that, while this Directive applies to federal civilian agencies, all organizations should think about building their own asset discovery and vulnerability enumeration capabilities.

News URL

https://www.helpnetsecurity.com/2022/10/05/cisa-asset-discovery-vulnerability-enumeration/