Get Compliant with CISA Directive 23-01 Before April 3 Deadline

CISA Directive 23-01 was issued in October 2022 by the Cybersecurity and Infrastructure Security Agency (CISA). The directive is aimed at ensuring the security of federal systems and networks by requiring continuous and comprehensive asset visibility and vulnerability tracking. Qualifying and complying measures that satisfy the directive requirements must be implemented by April 3, 2023. This directive is limited to federal agencies only; yet, CISA has urged private sector organisations and state governments to review and implement similar measures.

In summary, the directive requires federal agencies to:  

• Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
• Identify software vulnerabilities, using privileged or client-based means where technically feasible;
• Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
• Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.

(the above bullets are direct quotes from the official CISA website)

To satisfy these requirements, federal agencies may need to implement a variety of tools and processes depending on their current environment. Some examples of tools used are: Systems Center Configuration Manager (SCCM), Qualys, Rapid7, Tenable, Intune, SolarWinds, AWS Security Center, and other infrastructure and cloud monitoring tools.

One of the key challenges that agencies will face in complying with the directive is the manual effort involved in tracking data and then aggregating that data across these tools. The data is often not centralised, requiring manual exports and data manipulation to get a full inventory and listing of vulnerabilities and assets. The part of the directive that magnifies the importance of compliance is that agencies are required to supply this information to CISA within 72 hours of a request. This makes having data quickly accessible in a central location critical for not only compliance purposes but also for improving security posture.

Fortunately, ServiceNow is a uniquely positioned solution that can centralise all the data and tools required for this directive. Using the ITOM and Vulnerability Response applications, agencies can seamlessly aggregate data from their asset tracking and vulnerability tools into ServiceNow to make reporting easier and vulnerability remediation more efficient.

Value Beyond Compliance

With thousands of ServiceNow implementations completed with adherence to best practices, Thirdera has successfully helped a multitude of public and private sector customers leverage ServiceNow to manage regulations and security operations. Thirdera customers that have implemented Vulnerability Response typically see a reduction of 40+ hours/week of aggregating and assigning vulnerabilities. By leveraging ITOM Discovery, Service Mapping, and the CMDB, agencies can further improve visibility into their environment and prioritise asset tracking and vulnerability remediation automatically. In addition to the improvements to vulnerability resolution, Thirdera customers that maintain a healthy and service-aware CMDB typically see 82% fewer failed changes and 38% faster incident resolution. As you can see, Thirdera can help you turn a single objective of compliance into a bounty of tangible outcomes.

If you’re a federal agency, CISA Directive 23-01 is not something that can be circumvented. Thirdera can guide you on leveraging the ServiceNow platform to not only comply but improve the efficiency of your cyber security program. If you have any questions about the directive requirements or concerns about the potential impact, we are here to help!