At the end of 2023, the Office of Management and Budget (OMB) released the FY24 FISMA Guidance (M-24-04) with a broad focus on securing the entire attack surface and specific action items for agencies pertaining to High Value Assets, IoT/OT devices, and internet-connected assets.
In reference to recent supply chain attacks, zero-day exploits, terrapin attacks, and a host of other risks associated with previously trusted systems, the Administration calls for āmodernization of Federal systems in accordance with zero trust principles that acknowledge threats must be countered both inside and outside traditional network boundaries.ā
The requirements turn a critical eye toward agenciesā attack surface management programsācalling for 100% visibility of cyber assets (including IoT/OT and external assets), risk assessment of HVAs (High Value Assets), and a foundation for Zero-Trust Architecture.
Qualys customers are uniquely positioned to comply with the requirements and secure their attack surface using a single platform. This post will address the primary requirements point-by-point.
Letās separate the memo into subject areas pertaining to attack surface management. There are five primary focus areas that we will explore.
M-24-04 builds from M-22-09, requiring agencies to implement benchmarks according to the NIST Cybersecurity Framework (CSF) Zero Trust strategy. More specifically, āThe Federal Government no longer considers any federal system to be ātrustedā unless that confidence is justified by clear data; this means internal traffic and data should be considered at risk.ā
To satisfy that mandate, agencies must have three things that CSAM provides:
The Federal Government describes Zero Trust by saying, āā¦confidence must be justified by clear data.ā With CSAM, agencies can provide that justification by answering the following questions for every device:
These are essential questions for your attack surface management program and set the foundation for agencies to implement federally required Zero-Trust policies.
Section 2 of the memo directs agencies to demonstrate a āclear understanding of devices connected within their information systems to gauge cybersecurity risk.ā OMB spells out, in no uncertain terms, that by the end of 2024, agencies must maintain a real-time inventory of IoT and OT devices along with these specific attributes:
Many organizations struggle with visibility into IoT and OT devices. CSAM has recently bolstered coverage for these devices with Cloud Agent Passive Sensing, discovering IoT and rogue devices connecting to the network in real time. Qualys customers can also leverage OT passive sensors to cover all attributes above for OT devices.
The key for maintaining a real-time inventory is to combine coverage from numerous discovery methods. Scanning, on its own, wonāt satisfy the IoT/OT requirements. The same goes for third-party integrations. Combining these methods with passive sensing will identify all of these devices in the environment along with cyber risk assessmentāwith data in a machine-readable format for reporting to the federal government.
In alignment with BOD 19-02, agencies must provide CISA āa complete list of internet-accessible Federal information systems, including static IP addresses for external websites, servers, and other access points, and DNS names for dynamically provisioned systems with 5 business days of any changes.ā This translates to real-time visibility of external assets along with machine-readable reporting to CISA.
Just as there are data collection and reporting requirements for IoT/OT devices, there are similar guidelines for internet-facing assets. In addition to a complete inventory, agencies must provide:
That requires agencies to maintain (close to) real-time inventory of external assets from subsidiaries, hybrid work, BYOD, and all other sources of potentially unknown assets.
External Attack Surface Management (EASM) is built natively into CSAM and has already discovered over 100,000 domains and nearly 3 million subdomains for thousands of Qualys customers. That means agencies can continuously identify previously unknown systems, including DNS and WHOIS records, to meet CISA reporting requirements for āinternet-accessible Federal systems.ā
OMB and CISA are āusing CIO metrics reporting to track implementation of NIST standards,ā requiring agencies to update metrics outlined in previous OMB memos and Executive Orders. M-24-04 specifically references OMB Memo M-19-03 and BOD 18-02 as they pertain to reporting on High Value Assets (HVAs). Here are the areas that agencies need to quantify for CISA:
OMB specifically cites āthe Administrationās shift in focus from compliance to risk management.ā
That means agencies need a risk-based approach to attack surface management, vulnerability management, and remediation.
āRisk-based Vulnerability Managementā is a major emphasis for Qualys and the Enterprise TruRisk Platform, with a focus on measuring, communicating, and eliminating risk across the organization.
CSAM provides a complete asset inventory along with risk assessmentāthis is the measure component of Risk-based Vulnerability Management. For government agencies, this means monitoring and measuring risk to HVAs, including vulnerabilities, misconfigurations, and other risk factors covered earlier in this post.
TruRisk across the organization, along with a focus on critical assets.
Communicatingthat risk to internal stakeholders, compliance auditors, and Homeland Security is another key element for agencies. CSAM provides out-of-the-box CISO dashboards, compliance reports, EASM reports, and risk reduction reportsāalong with data mapping to CMDB tools. All reports can be scheduled and shared in machine-readable format to meet OMB and NIST requirements.
Of course,Eliminatingcyber risk is the ultimate goal of federal mandates, which is why Qualys provides one-click workflow to VMDR, Patch Management, and CMDB tools to streamline and report on the remediation of business-critical risks. Government agencies can easily track and document risk reduction to HVAs with Qualys.
OMB emphasizes risk profiling and reduction of the complete attack surface, with a specific focus on IoT/OT and external assets. In order to meet federal mandates, agencies need a consolidated approach that includes external discovery scanning, passive sensing for network metadata, and detailed risk profiles of all cyber assetsāespecially critical or High Value Assets. Rather than piecing together point solutions and mismatched data for different asset types, government agencies should consider the strongest consolidated solution to build a complete asset inventory.
In addition to all these versatile discovery methods, CSAM collects business data required to build a foundation for Zero Trust Architecture, another key government requirement in 2024.
In 2024, agencies must prioritize an attack surface management strategy that fulfills these requirements.
Try CSAM at no cost for 30 days
Learn more about Cloud Agent Passive Sensing for IoT
Request a tailored External Attack Surface Management Report for your agency