CISA to Transform Cyber Vulnerability Assessment
The Cybersecurity and Infrastructure Security Agency (CISA) plans to overhaul how it assesses cyber vulnerabilities and threats, prioritizing some over others in order to be more effective in an environment where risks are spiking, according to Acting Director Nick Andersen.
A binding operational directive being released will integrate this new thinking, directing federal agencies to change the way they address vulnerabilities by elevating some while putting others to the side. CISA also plans to drill down with critical infrastructure entities on how they are prioritizing their responses to cyber threats.
New Approach to Vulnerability Management
Andersen stated that CISA needs to be okay with saying there are some systems that are less important than others, and some elements of critical infrastructure that are less important than others. If such calculations are not made, an overstretched CISA will have to explain to the public why it is without telecommunications infrastructure for a significant amount of time, or why we don't have access to clean drinking water.
The binding operational directive will address whether patching windows need to be shortened, and if so by how much. It will also direct federal agencies to change their vulnerability management protocols overall, according to Andersen. The biggest takeaway from the directive is that CISA is moving away from an outmoded historical approach of “the patch is released, apply this patch as quickly as you can”.
Focus on Risk Associated with Each Vulnerability
Andersen emphasized that CISA is asking people to take more of a focus on risk associated with each vulnerability. This includes considering whether the vulnerability is with an asset that is internet exposed, whether it aligns to a known exploited vulnerability, and whether it is automatable in its exploitation.
CISA already has several functions in place to determine how vulnerabilities are prioritized, but Andersen suggested they are not as successful as they need to be. For example, the agency's existing Section 9 protocol is an example of a measure that has not been effective enough.
A Fine Grade Approach
Andersen stated that what have historically been “broad intelligence conversations” need to “get down to a fine grade”. This means prioritizing specific functions and assets that support those functions, and having detailed conversations about how to achieve a measurable level of resilience for those assets.
For example, CISA needs to prioritize that a given bank’s bulk payment system is solid as opposed to worrying about whether a single branch can operate after a cyberattack. This approach will allow CISA to be more effective in its vulnerability management and risk assessment.
Addressing Staffing Shortages
CISA has been constrained recently by a government shutdown and mass layoffs, but Andersen said the agency is addressing staffing shortages. The agency plans to bring on over 300 new people, with 180 of them being hired by the end of this month.
The initial wave of hiring will focus on replenishing CISA’s pool of employees working on infrastructure security, emergency communications and in local regions as state cybersecurity coordinators. Some of the new employees have already begun working, according to Andersen.
CISA's new approach to vulnerability assessment and management is a significant shift in how the agency prioritizes and addresses cyber threats. By focusing on risk and taking a fine grade approach, CISA aims to be more effective in protecting critical infrastructure and preventing cyber attacks.
Source: The Record