The below originally appeared on the FedScoop.
This video panel discussion was produced by Scoop News Group for FedScoop and underwritten by Axonius.
Continuous and comprehensive asset visibility is essential to manage cybersecurity risk effectively. That’s the premise behind the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 23-01 (BOD-2301). This binding directive tasks federal agencies to achieve two core activities regularly: one involves asset discovery. The other consists of identifying and reporting vulnerabilities associated with those assets.
Michael Duffy, associate director for the cybersecurity division at CISA and Axonius CEO Dean Sysman joined FedScoop for an interview on what agencies must do, their progress, and recommendations on managing those efforts.
Duffy discussed the background and significance of BOD-2301. He explained that CISA’s continuous diagnostics and mitigation (CDM) program was established over a decade ago to provide agencies with consistent and cost-effective cybersecurity solutions. The primary focus of CDM was to enhance cybersecurity through tools, technology and integration. Asset management, a part of phase one, was important but was not previously a definitive policy requirement.
The shift towards the BOD was prompted by significant cybersecurity events in 2021, demonstrating the critical need for improved asset visibility and vulnerability management.
“We’ve seen agencies making significant progress; those already trending in the right direction based on their CDM deployments have harnessed that capability. We found that over 90% of federal agencies are meeting key thresholds within that directive, which sets us up at CISA to be able to effectively support agencies as they are locating vulnerabilities, especially those known exploited vulnerabilities on their networks in their enterprise, to make sure that we can remediate them quickly before an attacker can exploit those vulnerabilities,” said Duffy.
Sysman highlighted the evolution of asset management and the tools required to address the modern challenges faced by federal agencies. Traditionally, asset management has been approached through three main methods: network-based scanning, agent-based solutions and manual data input into CMDBs. In today’s dynamic environments, these traditional approaches are no longer sufficient.
Sysman drew an analogy to a puzzle, emphasizing that to gain a complete understanding of assets, organizations need to integrate and correlate data from various sources. Each source, whether network controls, agents, identity controls or cloud platforms, provides a piece of the puzzle about an asset.
“It starts with understanding what those assets are, what are the vulnerabilities they have. And even more importantly, the business context of that asset,” said Sysman.
Duffy and Sysman agreed on the critical significance of striving for a 100% asset visibility goal. They stressed how data integration could prove advantageous in multiple cybersecurity areas, extending beyond asset management, including vulnerability management, risk reduction and decision-making. They also emphasized the value of closely monitoring trends and promptly addressing gaps in real time, underscoring its pivotal role in effectively addressing contemporary cybersecurity challenges.
