A Roadmap to Implement Enhanced Security Measures for “Critical Software”: How to Comply with OMB’s Memo for Federal Civilian Agencies
On August 10, the Office of Management and Budget (OMB) released guidance to civilian agencies on how to implement the goals of the May 12 Executive Order on Improving the Nation’s Cybersecurity with regard to software that is considered “critical.” Agencies have just 60 days to identify “critical software” and 1 year to implement enhanced security measures.
While the timeframes for compliance are aggressive, they are quite realistic when you take the following six-step approach to getting started.
Step 1: Understand the definition of “Critical Software”
On June 25, 2021, the National Institute of Standards and Technology (NIST) released guidance on what qualifies as “critical software”, described as follows.
“Critical software” is any software that has, or has direct software dependencies upon, one or more components with at least one of the following attributes:
- is designed to run with elevated privilege or manage privileges;
- has direct or privileged access to networking or computing resources;
- is designed to control access to data or operational technology;
- performs a function critical to trust; or
- operates outside of normal trust boundaries with privileged access.
Step 2: Prioritize OMB’s first phase
OMB has indicated that enhanced security measures for “critical software” will follow a phased approach, focusing first on standalone, on-premises software that incorporates any of the following:
- Identity, credential, and access management (Examples: CyberArk; Okta; SailPoint)
- Operating systems, hypervisors, container environments; (OS Examples: Windows, Linux, Mac OS; hypervisors: VMware, Nutanix, Hyper-V; containers: Kubernetes, Docker)
- Web browsers; (Examples: Chrome, Firefox, Internet Explorer)
- Endpoint security; (Examples: Tanium, CrowdStrike, McAfee ePO)
- Network control; (Example: Forescout)
- Network protection; (Example: Palo Alto Networks)
- Network monitoring and configuration; (Examples: ServiceNow, Nagios, SolarWinds)
- Operational monitoring and analysis; (Examples: Firepower, Splunk)
- Remote scanning; (Example: Tenable)
- Remote access and configuration management; (Example: VPN)
- Backup/recovery and remote storage (Example: NetApp)
Note that subsequent phases will address a wide range of software, such as boot-level firmware, solutions that control data, cloud-based software, software with OT-based components, and many more.
Step 3: Create a real-time inventory of your agency’s “critical software”
In order to implement all 20 required enhanced security measures (SM) required for software that meets the “critical” definition, you must have a robust inventory of all the software running on your network. That is why SM 3.1 prescribes the creation of a software inventory.
Continuous Diagnostics and Mitigation (CDM) program tools, like the Forescout platform, can help your agency identify all your applicable software and enable inventory creation.
To identify your critical software using Forescout, your IT team performs three simple tasks:
- Integrate Forescout with your agency’s active directory. This will enable you to view all users that have access to a particular host. You can also view the operating system version and the services running on the host.
- Integrate Forescout with endpoint solutions (e.g. Tanium, McAfee ePO, CrowdStrike) or deploy Forescout secure connector to Windows or Mac/Linux hosts to obtain data on software that is installed or running. This will enable you to identify any critical services or software residing on the host.
- Create a Forescout security policy to identify all software running enhanced privileges.
With a holistic software inventory in place, your agency can make decisions regarding which software you will allow to remain on your hosts. The existence of a robust software inventory allows you to confidently begin both SM 3.2 (Patch Management) and SM 3.3 (Configuration Management). Moreover, there are indirect benefits to SM 2.1 – SM 2.5, which refer to Data Inventory, Protect Data at Rest, Protect Data in Transit, and Back Up Data. All of these are possible once you have properly identified and/or tagged data that moves between your applications and services.
Step 4: Implement MFA
SM 1.1, Multi-Factor Authentication, calls for your agency to increase your visibility into user accounts which, in turn, will enable more granular control actions. Specifically, you will position your agency to easily adhere to SM 1.2 (Identify and Authenticate Each Service) as well as SM 1.3 (Privileged Access Management). Standardizing on MFA ensures proper level of access for each user on your network and limits privileged access to users and applications that require this level of functionality.
MFA, coupled with Forescout’s ability to continuously monitor (SM 4.2 Continuously Monitor) endpoint solutions can help your agency discover unauthorized accounts and communication at the host. Visibility into both users and their level of access makes boundary protection techniques (SM 1.4 Boundary Protection) more effective.
Step 5: Segment your networks
After performing steps 1-4 as outlined above, your agency will have accurate and holistic visibility into software, users/accounts, and devices. This sets the stage to then segment your networks (SM 4.4 Network Security Protection) and introduce control actions that are dynamic and precise. This is particularly important given the proliferation of connected “things”, such as IoT devices and operational technology (OT) assets like building automation systems – even weapons systems.
Segmentation allows administrators to identify malicious communication more easily and in a variety of ways. For example, subnets dedicated to critical infrastructure assets (e.g., water pumps and power generators) can be monitored for inbound traffic, and administrators can take action to prevent external connections. Forescout provides early threat detection as part of network segmentation, such as rapid response to unusual variations in CPU utilization. Agency IT administrators can view the lower-level functions of hosts to establish a CPU utilization baseline, by subnet, and monitor for spikes that could indicate suspicious activity.
Step 6: Automate threat response
After accomplishing steps 3-5 above – establishing a software inventory, implementing MFA, and segmenting networks – your agency will be able to better utilize syslog information (SM 4.1 Log Security Events) by creating security policies that can take automated action in response to an alert-worthy event. For example, Forescout’s integration with IDPS technologies (SM 4.4 Network Security Protection) can automatically take action and remove a host to a quarantine VLAN in response to a malware alert or if Forescout’s policies trigger when communication with a suspicious domain occurs.
Forescout’s integration with endpoint management systems (e.g., McAfee ePO) gives agencies the ability to validate and verify dashboard information. This prevents reliance on potentially incorrect reports that indicate your hosts are up to date when they may actually be running software versions that are beyond the scope of what the endpoint syslog tracks.
Conclusion: Act soon and focus your efforts
OMB’s memo on enhanced security measures must be implemented by federal civilian agencies by August 10, 2022. Careful planning around your agency’s first steps are critical to the process. You must complete baseline activities, such as software inventory creation and MFA, before implementing more data-dependent security measures (e.g. SM 2.2: Use Fine-Grained Access Control for Data and Resources). To reduce complexity and accelerate compliance, agencies should utilize existing CDM tools to accomplish much of what the Memo requires.
For more information or guidance on how to implement OMB’s Memo, please reach out to Dr. Rafael Luis Torres Jr. Contact Rafael.