Cybersecurity & Infrastructure Security Agent (CISA) released important information last month requiring federal agencies to account for a complete inventory of assets and vulnerabilities.
In the past, it has just been recommended – but not come April 3rd, 2023.
The new CISA mandate is requiring all federal agencies to account for a complete inventory of their assets. Federal agencies have until next April to maintain automated asset inventories and check for any vulnerabilities they may have within their IT infrastructure.
The end goal is to help the government gain better visibility into the nation’s IT infrastructure preventing another SolarWinds or Log4j incident and to reduce sizable impacts stemming from limited asset inventories and associated software supply chain vulnerabilities. Officials and businesses need to be able to spot a software vulnerability before it can be exploited by an outside threat actor and a data breach occurs. Regulations affect every industry, and his one is big for federal agencies.
We asked Scott Foote, VCISO at Apexa iQ, what this means for agencies and the impact this mandate will have. "For decades, the inevitable cyber entropy has plagued the cyber security community with an ever expanding attack surface that must be defended. The unindoctrinated might assume that every organization religiously maintains a complete inventory of assets and vulnerabilities. Sadly, that is the exception rather than the norm. The recent CISA directive acknowledges this and now requires US federal agencies to formally document their cyber posture with a comprehensive and continuously updated inventory of their assets and relevant vulnerabilities. Frankly, every commercial entity should be applying the same discipline to taming their own cyber entropy. You cannot defend what you cannot see."
Knowing what’s on your network is the first step for any organization to reduce risk, thus, agencies will have to begin automated asset discovery every seven days starting in April 2023. Agencies will also need to conduct vulnerability enumeration every 14 days, checking servers, routers, switches, computers, mobile phones and other devices. Doing so every 14 days can be time consuming - but with a solution like Apexa iQ, agencies can get this information in minutes, in a single pane of glass. Agencies will also check to make sure software is up to date and properly patched and scan managed endpoints.
What is the best way to be able to spot a vulnerability within your IT estate? Utilizing a SaaS based platform that gives you a comprehensive view of every device on your network. Here are some questions you should be asking yourself when evaluating your IT security.
Federal agencies should look to get an IT Asset Management platform in advance so they can assess their assets to gain an advantage on the April 2023 mandate.
CISO, Steve Sabados of magicJack adds “Apexa iQ is a solution created for companies who face increasingly dynamic environments. This solution provides a concise view of your entire IT environment while identifying IT risks and vulnerabilities within your company giving you actionable information to protect your assets. With this new mandate, Apexa iQ is the answer to what you will need to stay complaint and secure.”