The Cybersecurity and Infrastructure Security Agency (CISA) has released a new Binding Operational Directive (BOD 22-01) that's designed to reduce the significant risk of known exploited vulnerabilities.
This directive is compulsory for all federal, executive branch, departments and agencies. The below is taken directly from CISA's website:
This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, agency policies must:
a. Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, as carrying significant risk to the federal enterprise within a timeframe set by CISA pursuant to this directive;
b. Assign roles and responsibilities for executing agency actions as required by this directive;
c. Define necessary actions required to enable prompt response to actions required by this directive;
d. Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
e. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
Report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard. Initially agencies may submit quarterly reports through CyberScope submissions or report through the CDM Federal Dashboard. Starting on October 1, 2022, agencies that have not migrated reporting to the CDM Federal Dashboard will be required to update their status through CyberScope bi-weekly.
- Maintain the catalog of known exploited vulnerabilities at https://cisa.gov/known-exploited-vulnerabilities and alert agencies of updates for awareness and action.
- CISA will publish the thresholds and conditions for including and adding vulnerabilities to the catalog at https://cisa.gov/known-exploited-vulnerabilities.
- As necessary following the issuance of this Directive, CISA will review this Directive to account for changes in the general cybersecurity landscape and consider issuing Supplemental Direction to incorporate additional vulnerability management best practices for federal information systems.
- Annually, by the end of each fiscal year, provide a status report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director identifying cross-agency status and outstanding issues in implementation of this Directive.
Does this Impact Any Companies/Organizations Outside of the Federal Government?
Not exactly, but there is language in the directive that can be applied to drafting better security policy at your own business or organization. We've covered some of these things before here on the blog.
Personally it it seems as if CISA is requiring Federal entities to perform a risk assessment in order to better protect themselves. Here are seven things YOU can do to prepare yourself and complete a Risk Assessment for your business or organization:
While we’ve done our best to put these steps into an organized list, many of them are interconnected, and when you go through a Risk Assessment, you’ll be bouncing back and forth between them as new information comes to light.
Step 1: Identify Your Information Assets
An information asset is any information or asset that is valuable to your business and contributes to its ability to operate and its profitability. Typically you need to look for things like paper or electronic documents, applications, databases, infrastructure, even key people. That’s an information asset.
“Generally what we do to start the asset identification process is issue a questionnaire,” said Darrin Maggy, Security7 Networks Practice Manager. “It’s brief, and it’s meant to prompt people through the process of understanding exactly what we’re looking for and how to find it.”
Step 2: Identify the Asset Owners
After you’ve identified your information assets, Security7 determine who within the business is responsible for those assets. Maggy said the recipients of the questionnaire typically exist at the layer directly below the CEO on the org chart.
“Finance, Operations, HR, Sales, etc., these folks are typically aware of which corporate assets they’re responsible for and which assets are most critical to the business,” he said.
Maggy said it’s important to identify asset owners as they are the best source of knowledge regarding the potential vulnerabilities and threats to the assets and they can also help assess the likelihood and impact of the identified risks were to materialize.
Step 3: Identify Risks to Confidentiality, Integrity, and Availability of the Information Assets
“Confidentiality, Integrity, and Availability of information are the foundation of information security,” Maggy said. “Let's use an analogy to help explain this.”
Maggy said imagine you’re doing business with your bank. You’re going to make a deposit, log into your account to make sure the deposit has posted to your account, and then withdraw the money.
You expect confidentiality when you deposit your money. That transaction is between you and your bank. “It’s nobody’s business that you’ve just conducted that transaction,” Maggy said. “The bank shouldn’t advertise the fact that you just deposited $50 or $5000 into your account.”
Integrity comes into play when you log into your account only to find the transaction hasn’t been posted. “Say you deposited $50 and only see $10 or nothing at all,” Maggy said. “Something’s happened regarding the integrity of that transaction, the integrity of the information.”
Availability comes about when you go to an ATM and try to withdraw that $50 and you’re unable to do so, now you have an availability issue.”
Maggy said all three of these things apply to data as well any breach of Confidentiality, Integrity, and Availability is considered a security incident. “Let’s apply these concepts to business.
“If somebody in sales needs to access Salesforce.com and they’re unable to do so, that’s an availability issue. If somebody from HR goes into Salesforce.com and they alter a major account record, making substantial changes to the record, and ultimately those changes alter the way that client is handled in the organization then you’ve just had a breach of integrity,” he said.
“Overall, confidentiality is identifying the processes, the assets, the information, the things in the organization that need to be kept private,” Maggy said. “Whether its existential data that you don’t want your competitors to find out about such as information related to M&A activity or new product development, financial information, or other sensitive data. That’s confidentiality.”
Step 4: Identify the Risk Owners
Remember when we said you might bounce around between the steps? Well, here’s an example of that.
“Oft times we’ll determine that the asset owner ends up being the risk owner as well,” Maggy said.
Maggy said risk owners are those with the accountability and authority to manage risk. “The asset owner is the person responsible for the asset within the company. A risk owner is a person who is both interested in resolving a risk and is positioned high enough in the organization to do something about it.”
However, the risk owner isn’t always the asset owner. “it has to be someone who is closely related to processes and operations where the risks have been identified – it must be someone who will feel the “pain” if the risks materialize – that is, someone who is very much interested in preventing such risks from happening. However, this person must be also positioned high enough so that his or her voice would be heard among the decision-makers because without obtaining the resources this task would be impossible.”
Step 5: Analyze the Identified Risks and Assess the Likelihood and Potential Impact if the Risk Were to Materialize
Maggy said it's important to always provides Risk Assessment training directly to the people who are going to be involved in the Risk Assessment process.
“We do this to bring everyone involved in the process up to speed,” he said. “It helps them understand the methodology, the terminology, and the risk identification and treatment process so we can better assure a high quality, refined output.
Step 6: Determine the Levels of Risk
Security7 Networks has assembled a collection of Risk Catalogs to help the participants on their journey. The catalogs help identify specific threats and vulnerabilities and allows them to walk organizations through the likelihood and consequence scenarios.
“We give the potential impact and likelihood of these threats occurring a numerical value in our risk matrix.”
The total of these values ultimately determines which risks will require treatment.
“Then you have to decide how you’re going to reduce those risks to a level that the organization is willing to accept or is comfortable with, no more no less,” he said.
Step 7: Prioritize the Analyzed Risks for Treatment
The primary risk treatment options an organization has to consider are risk mitigation, risk transfer, risk avoidance, and risk acceptance.
“Maybe you’re going to put a security control in place from Annex A or SP 800-153 or another control catalog. That’s risk mitigation,” Maggy said.
“Risk transfer is when you transfer the risk through outsourcing to a contract supplier or insuring a particular asset.”
“Risk avoidance is when you discontinue the activity that’s associated with the risk,” he said.
“Risk acceptance is where an organization says ‘you know what?’ The treatment would cost more than the potential impact was the risk to materialize. We accept this risk. It’s been signed off on by our executive suite,’” he said. “Then they file the risk acceptance memo within their information security management system”
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.