We always want to know what is connected to the network. And whether it is vulnerable.

It is normal for any organization to constantly add or remove various devices, on-premises or off-premises, wired or wireless. This can give malicious hackers an opportunity to take advantage of an improperly secured system.

Organizations often don’t know where they are, let alone how many assets they have.

The answer is to run regular automated scans to discover assets connected to your infrastructure and enumerate any vulnerabilities that may exist.

US Cybersecurity and Infrastructure Security Agency (CISA) Said Federal agencies on Monday said it will soon be necessary to track assets and vulnerabilities on their networks.

By April 3, 2023, all federal civilian administrations must ensure that they:

  • Run automatic asset discovery every 7 days. This should at least cover the entire IPv4 space used by the agency.
  • Every 14 days we will start enumerating vulnerabilities on all discovered assets, including all discovered nomadic/roaming devices (e.g. laptops).
  • Automatically feed details of detected vulnerabilities to CISA’s Continuous Diagnosis and Mitigation (CDM) dashboard within 72 hours.
  • Ability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or vulnerabilities within 72 hours of receiving a request from CISA and return results to CISA within 7 days of request develop and maintain

CISA Director Jen Easterly highlighted the SolarWinds attack when announcing the new directive to the media. In this attack, a sophisticated hacking group used harmful updates to network management software to compromise networks within government departments, critical infrastructure, and the private sector, taking over the moon.

“If you’ve heard us talk about this, we are consistently saying that we are on an urgent path to gain visibility into the risks facing federal private networks. “This was clearly a gap revealed by SolarWinds.”

A key factor for organizations trying to protect themselves from attacks like SolarWinds is the ability to quickly identify the presence of compromised software on their networks.

Within six months, CISA said it will publish a common vulnerability reporting data format that agencies can use to enter information into their CDM dashboards.

Editor’s note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire, Inc.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog