The Cybersecurity and Infrastructure Security Agency is reporting progress across multiple fronts in its efforts to gain visibility into vulnerabilities on federal networks and extend shared cyber services across agencies.
In the quarter two update to the Department of Homeland Security Agency Priority Goal, “Strengthen Federal Cybersecurity,” CISA reports that 55% of federal agencies now automatically report into CISA’s Continuous Diagnostics and Mitigation (CDM) system. That’s up from 45% at the end of the first quarter of fiscal 2023.
CDM is central to CISA’s role overseeing federal cybersecurity. Agency CDM Dashboards feed information about hardware, software and potential vulnerabilities on their networks into a central “CDM Federal Dashboard.”
The latest update means CISA has already met a goal for half of all agencies to automate reporting into CDM by Sept. 30, 2023.
“CISA is performing well against this measure, with Q1 and Q2 results much higher than anticipated,” CISA officials wrote in the latest update.
But CISA expects more “stabilized progress” through the remainder of fiscal 2023, the update continues, as factors including “agency resourcing, prioritization and leadership changes will create challenges for achieving comprehensive CDM coverage, as will CISA’s inability to directly make changes to agency tooling.”
Beyond this year, CISA expects it will reach as high 85% of agencies automatically reporting into CDM, “but may never approach 100%.”
However, CISA officials are hailing the increased visibility they’ve already achieved into federal networks.
During a June 22 Cybersecurity Advisory Committee meeting, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agency has the ability to “gain real time visibility into every asset, every vulnerability, every misconfiguration, across every federal civilian network continuously” through the CDM program.
He pointed to the widely exploited vulnerabilities in the MOVEit file transfer system. Several federal agencies were swept up in a ransomware attack that leveraged the previously unknown bugs in the MOVEit software.
But CISA officials have said the campaign did not result in “significant impacts” to federal data or systems.
“Had this campaign occurred a couple of years ago, we would have been rendered to a manual state where we would have asked organizations to tell us, likely via spreadsheets, how they were using this application and where,” Goldstein said. “Now we can log on to what we call our federal dashboard and gain real time visibility, not just into the prevalence of that application, as one example, but also the version status. We can actually see who has mitigated and if they haven’t, drive them to do so.”
Goldstein said CISA has been able to combine its strengthened visibility with a Binding Operational Directive issued in late 2021 that establishes a “Known Exploited Vulnerabilities” catalog of significantly dangerous cyber bugs. The BOD requires agencies to patch vulnerabilities listed on the catalog within specified time frames.
“We have driven mitigation of millions of vulnerable instances of technology assets since that directive was put in place based upon that intersection of our directive authority and our visibility,” Goldstein said.
CISA expects ‘big jump’ in shared services adoption
More agencies are also adopting the shared services CISA offers on a voluntary basis. The agency reports 120 total adoptions across five distinct services through the end of quarter two.
The services include the Automated Indicator Sharing service, Mobile Application Vetting, a suite of “Shared Cybersecurity Services,” the Traveler-Verified Information Protection service and the agency’s Vulnerability Disclosure Policy Platform.
And CISA expects to see agencies adopt even more services through the remainder of fiscal 2023, especially with its Secure Cloud Business Applications (SCuBA) service.
“CISA expects a big jump in voluntary adoptions over the next two quarters and expects to meet the annual target of 190 adoptions,” agency officials wrote in the update.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.