CISA Issues Cybersecurity Mandate to Federal Civilian Agencies
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive that instructs federal civilian agencies to better account for what resides on their computer networks.
Over the past several years, CISA has been working to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices, according to a prepared statement. Consequently, the Biden-Harris Administration and Congress have supported significant progress by providing key authorities and resources, according to CISA.
The CISA directive — Improving Asset Visibility and Vulnerability Detection on Federal Networks — establishes baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.
CISA Director Jen Easterly explained the imperative behind the directive:
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected or under-protected assets. Knowing what’s on your network is the first step for any organization to reduce risk. While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”
CISA Directive Casts Wider Net
CISA asserts that the directive will significantly increase visibility into assets and vulnerabilities across the federal government. As such, the directive is intended to improve capabilities by both CISA and each agency to detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.
While the directive is a mandate for federal civilian agencies, CISA recommends that private businesses and state, local, tribal and territorial (SLTT) governments review it and prioritize implementation of rigorous asset and vulnerability management programs.
CISA Marks Cybersecurity Awareness Month
In other CISA news, the agency recognized October as Cybersecurity Awareness Month. Correspondingly, a proclamation by President Biden designates October “as a time for the public and private sectors to work together to continue raising awareness about the importance of cybersecurity and equip the American people with the resources needed to be safer and more secure online.”
Throughout October, CISA, in partnership with the National Cybersecurity Alliance (NCA), will focus on what it means to “See Yourself in Cyber” by highlighting the actions that all Americans can take to raise the baseline for cybersecurity across the country.
Easterly urged the nation to become more cyber resilient:
“To build a more resilient nation, everyone… has a role to play, which is why our theme for this year’s Cybersecurity Awareness Month is ‘See Yourself in Cyber.’ This October, we are taking this message directly to the American people because whether you’re a network defender or anyone with an internet connection, we all have a role to play in strengthening the cybersecurity of our nation.
“Throughout the month, CISA will be engaged with communities across the country to promote cyber hygiene — simple but effective ways to keep Americans safe online through basic steps like enabling multi-factor authentication; using strong passwords and a password keeper; recognizing and reporting phishing; and promptly updating software. Together, we will make better cybersecurity a reality.”