On Wednesday, November 3, the Cybersecurity and Infrastructure Security Agency (CISA) announced that they issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. This directive requires all federal civilian agencies to remediate the vulnerabilities listed in the known exploited vulnerabilities catalog by their respective deadlines. Many vulnerabilities must be remediated by November 17, 2021, and more vulnerabilities may be added to the catalog as time goes on. The goal of the directive is to strengthen the cybersecurity of federal agencies by removing attack vectors that are being actively exploited by cybercriminals and nation-state threat actors. Although the directive officially applies to federal civilian agencies, CISA also recommends state, local, tribal and territorial (SLTT) governments as well as organizations in the private sector to remediate the cataloged vulnerabilities too.
In our article about why federal agencies would benefit from IT asset management, we explain how good IT asset management (ITAM) can help improve the cybersecurity of a federal agency. System sprawl refers to the phenomenon in which an organization’s IT infrastructure grows to the point where some IT assets are undocumented. Undocumented IT assets are also referred to as shadow IT. Shadow IT assets pose a risk to an organization’s cybersecurity because they may contain undocumented vulnerabilities, and you cannot secure an asset if you do not know that it exists. BOD 22-01 applies to all types of IT assets used by a federal agency: hardware, software, internet-facing, non-internet facing, agency-hosted, and third-party hosted assets. Federal agencies should consider keeping inventories of IT assets so that they can identify the ones that need to be secured.
IT asset management goes together with vulnerability management. Proper vulnerability management is not a one-and-done activity; it is the cyclical practice of identifying, prioritizing, remediating, and reporting on vulnerabilities. It must be practiced on a continual basis because IT infrastructures can change over time as assets are introduced and updated, thus introducing new vulnerabilities. Vulnerability management software can come in handy when IT administrators and cybersecurity engineers must work with many assets. Such software is usually capable of scanning networks to find IT assets and identifying potential vulnerabilities within these assets. Scans to identify assets on a network have the added benefit of creating asset inventories that can be helpful for ITAM purposes. Good vulnerability management software also provides the benefits of being able to automate these scans so that vulnerabilities are identified on a continual basis, and to generate reports based on the findings of these scans.
In summary, ITAM and vulnerability management solutions can help federal agencies comply with BOD 22-01. Vulnerability management software can automate the processes of discovering assets and identifying vulnerabilities within them, thus minimizing the need for manual labor in IT infrastructures with hundreds, thousands, or possibly millions of assets. Any federal agency seeking to remediate vulnerabilities within their IT infrastructure should utilize a vulnerability management solution. Ideally, they should also continue to practice vulnerability management to so that federal systems remain secure.