The Office of Management and Budget’s (OMB) cybersecurity memorandum M-24-04 provides federal agencies with Fiscal Year (FY) 2024 reporting guidelines and deadlines for compliance with the Federal Information Security Modernization Act (FISMA). It emphasizes the need for a clear understanding of all the devices connected to an agency’s network, as well as timely, consistent, and accurate reporting.
Let’s look at two key elements of M-24-04 and how they will impact federal agencies’ zero trust efforts.
Complete visibility into all connected devices
M-24-04 states that “agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations.” This includes devices that interact with the physical world, such as environmental sensors, building maintenance systems, and so forth. By default, the applications that power these devices must also be considered.
Further, the memorandum lays out a timeline to deliver inventories of agency IoT devices by the end of FY 2024. The inventory must be enterprise-wide and include asset identification, description, and categorization, among other things.
To meet these requirements, agencies must have complete visibility into their entire asset ecosystem. This becomes more challenging as ecosystems become increasingly complex, resulting in shadow SaaS. But visibility–the ability to see everything on the network, wherever it exists–is critical for ensuring a sound security posture and creating an accurate and complete inventory of assets. Indeed, visibility is a recurring theme throughout the heart of M-24-04, just as it is in BOD-23-01 and other directives.
Automated, consistent, and timely reporting
M-24-04 also directly calls out the need for automated, consistent, and timely reporting of equipment, information security and privacy performance and programs, implementation of National Institute of Standards and Technology (NIST) standards, and assets.
In particular, the memorandum sets expectations around automated reporting for the Cybersecurity and Infrastructure Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) Program. Per the OMB, “agencies must continue to provide data on assets in an automated manner to the maximum extent possible. Such automated reporting is supported by the adoption throughout each agency of CDM and other technical solutions that provide visibility and automated reporting directly to CISA.”
CISA calls for a very high level of agility when it comes to reporting vulnerabilities. Organizations must be prepared to provide a report within 72 hours as requested by CISA. The only way to do this consistently and effectively is through automated or on-demand queries. Both are good for reporting; they’re even better for proactively discovering issues before they become serious security concerns.
How Axonius helps agencies comply with M-24-04
M-24-04 uniquely addresses two of the biggest challenges government agencies face when it comes to effectively securing their networks. The first is being able to discover all the assets they have since it’s impossible to secure what cannot be seen. The second is to respond to vulnerabilities quickly and report asset discovery to oversight agencies promptly, thereby keeping organizations in compliance with federal mandates and the White House’s National Cybersecurity Strategy.
Axonius provides agencies with the ability to compile a comprehensive inventory of every asset within their ecosystems. We do this by developing and maintaining integrations into all of the cybersecurity source tools and then correlating those multiple data sources into a single source of truth….
In addition, the Axonius Platform gives agencies an understanding of the interdependencies and relationships between assets, so if a vulnerability affects one tool, they can see how it will affect other assets and their network as a whole. In that way, the solution doesn’t just provide asset visibility, it provides valuable context to defend and protect the entire environment.
Axonius takes things a step further by allowing agencies to generate detailed reports, both automatically and on-demand. An inquiry from CISA need not result in a scramble to compile information. Existing reports can be exported to the CDM Dashboard or created as needed, allowing agencies to quickly and routinely report their inventories and possible vulnerabilities.
Prioritizing visibility will be the best defense in 2024
M-24-04 shows that the best possible defense against potential cyberattacks will continue to be complete visibility of all assets, tools, and services–no matter where they are located, or how complex the network is. Visibility equals knowledge, knowledge equals protection, and protection results in being able to successfully build what the OBM calls “a collective defense.”