October 12, 2022
CISA Releases Directives On Asset Discovery And Vulnerability Enumeration
By Apexa iQ
Cybersecurity & Infrastructure Security Agent (CISA) released important information last month requiring federal agencies to account for a complete inventory of assets and vulnerabilities.
In the past, it has just been recommended – but not come April 3rd, 2023.
What is the new mandate and who is affected?
The new CISA mandate is requiring all federal agencies to account for a complete inventory of their assets. Federal agencies have until next April to maintain automated asset inventories and check for any vulnerabilities they may have within their IT infrastructure.
The end goal is to help the government gain better visibility into the nation’s IT infrastructure preventing another SolarWinds or Log4j incident and to reduce sizable impacts stemming from limited asset inventories and associated software supply chain vulnerabilities. Officials and businesses need to be able to spot a software vulnerability before it can be exploited by an outside threat actor and a data breach occurs. Regulations affect every industry, and his one is big for federal agencies.
We asked Scott Foote, VCISO at Apexa iQ, what this means for agencies and the impact this mandate will have. "For decades, the inevitable cyber entropy has plagued the cyber security community with an ever expanding attack surface that must be defended. The unindoctrinated might assume that every organization religiously maintains a complete inventory of assets and vulnerabilities. Sadly, that is the exception rather than the norm. The recent CISA directive acknowledges this and now requires US federal agencies to formally document their cyber posture with a comprehensive and continuously updated inventory of their assets and relevant vulnerabilities. Frankly, every commercial entity should be applying the same discipline to taming their own cyber entropy. You cannot defend what you cannot see."
Knowing what’s on your network is the first step for any organization to reduce risk, thus, agencies will have to begin automated asset discovery every seven days starting in April 2023. Agencies will also need to conduct vulnerability enumeration every 14 days, checking servers, routers, switches, computers, mobile phones and other devices. Doing so every 14 days can be time consuming - but with a solution like Apexa iQ, agencies can get this information in minutes, in a single pane of glass. Agencies will also check to make sure software is up to date and properly patched and scan managed endpoints.
Spotting Vulnerabilities
What is the best way to be able to spot a vulnerability within your IT estate? Utilizing a SaaS based platform that gives you a comprehensive view of every device on your network. Here are some questions you should be asking yourself when evaluating your IT security.
- Does my firm know what assets, both hardware and software are in inventory both on-premise and in the cloud?
- Are we patching effectively and appropriately?
- What is the plan in case of a cyber attack? Where is our information stored?
- Do we employ multi-factor authentication (MFA)?
- Are employees considered an asset to security or a liability to the firm? Do we understand which users have access to certain data, policies, and admin access?
- Which security policies do our vendors have in place?
- What is the cost – time and money – to inventory our entire IT environment?
Federal agencies should look to get an IT Asset Management platform in advance so they can assess their assets to gain an advantage on the April 2023 mandate.
CISO, Steve Sabados of magicJack adds “Apexa iQ is a solution created for companies who face increasingly dynamic environments. This solution provides a concise view of your entire IT environment while identifying IT risks and vulnerabilities within your company giving you actionable information to protect your assets. With this new mandate, Apexa iQ is the answer to what you will need to stay complaint and secure.”
How Apexa iQ, an IT Asset Management company, can help:
- Apexa gives you automated asset discovery in real time and in minutes
- With Apexa, you can initiate on-demand asset discovery at any time
- Apexa iQ can help your agency stay secure and compliant by showing you all devices that are obsolete and or not being patched
- Apexa iQ can see your entire attack surface
- Apexa can see all IP addressable operational technology and roaming/cloud assets
- Discovery, at a minimum, must include the organization’s entire IPv4 space and we’ve got you covered
- Minimal deployment and onboarding to get started with Apexa iQ