In mid-August, U.S. national security advisor Jake Sullivan sent a memo to cabinet secretaries of agencies outside the Pentagon dinging them for not complying with deadlines and steps in the 2021 Executive Order 14208 on Improving the Nation’s Cybersecurity. In doing so, he set a new timeclock ticking for submitting a detailed implementation plan by the end of September… just a few weeks away from this writing.
Sullivan said that failing to comply with deadlines and practices laid out in the EO left the U.S. Government exposed to “malicious cyber intrusions.”
The national media attention that the memo received may come as an unwelcome surprise to federal agency CISOs, but the looming deadline and what it requires is nothing new. Among the many deadlines in the original EO, federal agencies were instructed to develop a zero trust architecture (ZTA) implementation plan within 60 days of the order, which would have been July 2021.
For those who haven’t yet submitted a detailed cybersecurity implementation plan, it’s time to put pen to paper and knock it out. The good news is this: you likely already have most of the tools in place to do what is being asked of you, and Forescout can help you meet the new deadline.
Overlapping mandates and recommendations
Published in May 2021, EO 14208 directs federal agencies to make a series of investments in their cybersecurity defenses and begin migrating to a ZTA. Several related notices followed:
- August 2021 – The Cybersecurity and Infrastructure Security Agency (CISA) releases its initial Zero Trust Maturity Model (ZTMM 1.0), including how agencies can use the Continuous Diagnostics and Mitigation (CDM) program to support key aspects of zero trust, such as asset management. The model is heavily influenced by the National Institute of Standards and Technology (NIST) SP 800-207, “Zero Trust Architecture.” Note that ZTMM is voluntary guidance, not a mandate. On its website, CISA calls ZTMM “one of many roadmaps that agencies can reference as they transition toward a ZTA.” However, it lays out the clearest guidance agencies will find for EO and other compliance.
- January 2022 – The Office of Management and Budget (OMB) publishes the federal ZTA strategy, which requires agencies to achieve specific zero trust security goals by the end of government FY24. The goals are organized using ZTMM 1.0 and incorporate its five pillars: identity, devices, networks, applications and workloads, and data. Again, CDM is referenced frequently in the strategy as the vehicle for meeting the devices pillar by maintaining a reliable asset inventory.
- October 2022 – CISA issues Binding Operational Directive (BOD) 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks, imposes new asset discovery, vulnerability enumeration and reporting requirements on agencies, all through CDM.
- December 2022 – New OMB Federal Information Security Modernization Act (FISMA) guidance requires agencies to automatically report at least 80% of their IT systems through CDM by the end of FY23.
- April 2023 – CISA releases ZTMM 2.0, which adds a new maturity stage (optimal) and updates implementation guidance across key pillars including identity, networks, applications and workloads, and data. The data (visibility) pillar is untouched.
And, of course, the new National Cybersecurity Strategy, released in March 2023, sets forth ambitious new cybersecurity goals for both the public and private sectors.
CDM – the common thread for asset management
Above is a partial list of recent notices and directives designed to emphasize some good news that many federal CISOs already know: these various mandates build on one another, and success is grounded in asset management, or knowing what’s on your network. For federal agencies, since 2013 the vehicle for asset management has been CDM. It’s no surprise this program is still foundational — it’s still being updated to improve processes and support reporting requirements.
In BOD 23-01, for example, CISA points out that asset visibility [through CDM] is a means to an end:
Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation.
Federal agencies have participated in CDM for a decade now – so long that you may not be actively managing it anymore. As with many long-running programs, constant changes to the network, coupled with little enforcement and staff turnover, can drive assets out of alignment.
Plus, the world has changed a lot since 2013. Federal networks now include everything from security cameras to badge readers to HVACs. EDR tools often don’t work with such devices because of their inability to host a security agent. However, they can be accurately discovered in real time using hardware asset management (HWAM) tools you already have.
Forescout currently provides CDM HWAM for 164 federal agencies. We do this by continuously detecting all IP addressable devices – IT, Internet of Things (IoT) and operational technology (OT) – then classifying and controlling access in real time.
Certainly, there may be more exciting aspects of cybersecurity than asset management. But before you can apply artificial intelligence to threat detection and incident response or automate remediation based on prioritized risk, for example, you must know where your assets are and their compliance state so you can protect them.
Let us meet you where you are
Every agency is different. No matter where you are in your implementation planning or execution, Forescout can help you not just map your connected assets but also:
- Understand your security posture
- Identify tools and allocate resources
- Assess the level of effort needed to extend your framework to your entire attack surface
Forescout offers flexible services that include creating a targeted implementation plan designed to meet specific goals. You’ll work with a Forescout solution architect, professional services engineer and project manager to achieve your defined goals. With a vast deployment base across the federal government, we can also help you navigate conflicting regulations and overcome barriers such as blocked access to the devices and networks you’re charged with securing.
To get the help you need to meet short-term deadlines and position your agency for ongoing success, contact your Forescout representative.