CISA Orders Federal Agencies to Regularly Track Network Assets and Vulnerabilities

To that end, Federal Civilian Executive Branch (FCEB) enterprises have been tasked with two sets of activities: Asset discovery and vulnerability enumeration, which are seen as essential steps to gain "greater visibility into risks facing federal civilian networks."

This involves carrying out automated asset discovery every seven days and initiating vulnerability enumeration across those discovered assets every 14 days by April 3, 2023, in addition to having the capabilities to do so on an on-demand basis within 72 hours of receiving a request from CISA.

Similar baseline vulnerability enumeration obligations have also been put in place for Android and iOS devices as well as other devices that reside outside of agency on-premises networks.

"Doing so will ensure asset management and vulnerability detection practices that will strengthen their organization's cyber resilience," CISA said, adding it will help close gaps in the attack surface.

The goal of BOD 23-01, it said, is to maintain an up-to-date inventory of networked assets, identify software vulnerabilities, track an agency's asset coverage and vulnerability signatures, and share that information to CISA on defined intervals.

"Threat actors continue to target our nation's critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets," CISA Director Jen Easterly said in a statement. "Knowing what's on your network is the first step for any organization to reduce risk."

While the directive is a mandate for federal civilian agencies, CISA is also urging all businesses, including private entities and state governments, to review and implement rigorous asset and vulnerability management programs.