CISA Developed Cross-Sector Recommendations to Help Organizations Prioritize Cybersecurity Investments

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector

The Department of Homeland Security released the Cybersecurity Performance Goals (CPGs), voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats. The CPGs were developed by DHS, through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House. Over the past year, CISA worked with hundreds of public and private sector partners and analyzed years of data to identify the key challenges that leave our nation at unacceptable risk. By clearly outlining measurable goals based on easily understandable criteria such as cost, complexity, and impact, the CPGs were designed to be applicable to organizations of all sizes. This effort is part of the Biden-Harris Administration’s ongoing work to ensure the security of the critical infrastructure and reduce our escalating national cyber risk.

“Organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The new Cybersecurity Performance Goals will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country.”

CISA developed the CPGs in close partnership with the National Institute for Standards and Technology (NIST). The resulting CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework. Every organization should use the NIST Cybersecurity Framework to develop a rigorous, comprehensive cybersecurity program. The CPGs prescribe an abridged subset of actions – a kind of “QuickStart guide” – for the NIST CSF to help organizations prioritize their security investments.

“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” said CISA Director Jen Easterly. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure. For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks and data. We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”

“The Biden-Harris Administration has relentlessly focused on securing our Nation’s critical infrastructure since day one,” said Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger. “CISA has demonstrated tremendous leadership in strengthening our critical infrastructure’s cyber resilience over the last year. The Cyber Performance Goals build on these efforts, by setting a higher cybersecurity standard for sectors to meet.”

“Given the myriad serious cybersecurity risks our nation faces, NIST looks forward to continuing to work with industry and government organizations to help them achieve these performance goals,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our priority remains bringing together the right stakeholders to further develop standards, guidelines and practices to help manage and reduce cybersecurity risk.”

In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community and has established a Discussions webpage to receive this input. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months.

To access these new CPGs visit CISA.gov/cpgs.

Leave a comment , , , , ,

Designing a flood early warning system (FEWS) for West Africa

Industry News, Water sector

The great West African drought that started in the 1970s was undoubtedly a turning point in the region’s environmental discourse. It is well recognised as one of the most significant climate-driven disasters in recent history. The event was the onset of an era of rainfall uncertainty and variability, driving recurring floods and droughts across the region.

West Africa, an agglomeration of 16 countries, spans from the dense humid forests of the south to northern Saharan desertscapes (Figure.1). The region’s rainfall cycle is controlled by the Intertropical Convergence Zone. Changes in rainfall patterns have been attributed to climate change as well as land-use changes. ‘The Sahelian paradox’, is the increase in river flows despite reducing rainfall seen in many river basins. The complexity of hydrological and regional wind systems make it difficult to accurately predict long-term rainfall trends and their consequences.

The Economic Community of West African States (ECOWAS) has invested significantly in drought management in the past. However, these nations have been unprepared for the sudden rise in floods over the last decade. In 2020, a year of particular flood severity, 198,000 homes were destroyed or damaged, 96,000 people were displaced and 2.2 million people were affected across West and Central Africa. If no action is taken, an estimated 32 million people will be forced to migrate internally by 2050.

In response to increasingly frequent disasters, many early warning systems for floods have been launched in West Africa. Flood early warning systems are typically designed around four broad considerations: knowledge of risks, monitoring and warning, response capacity and communication. These systems monitor real-time atmospheric conditions to predict weather conditions, and warn people and governments on how and when to act to minimise disaster impacts. Such tools are especially effective when emergency action plans are laid out and agreed upon by different stakeholders.

Existing flood early warning systems (FEWS) have not been able to meet stakeholders’ needs regarding timeliness of information, geographical coverage, uninterrupted communication, accuracy and open ownership. To increase the adoption, effectiveness and usefulness of warning systems, stakeholder engagement in the design phase is crucial. Generally, empirical evidence on the effectiveness of participatory processes in sustainability science and disaster planning has been weak.

The EU Horizon 2020 FANFAR (Reinforced cooperation to provide operational flood forecasting and alerts in West Africa) project aimed to change this. Within FANFAR’s broader aim of developing a FEWS, our research focused on designing such a system in collaboration with 50-60 stakeholders from 17 countries. Stakeholders included emergency managers, representatives from regional and national hydrological services and river basin institutions. Two key participating organisations were the West African consortium members AGRHYMET Regional Center and the Nigeria Hydrological Services Agency.

We used a research approach called Multi-Criteria Decision Analysis (MCDA). MCDA helps find possible solutions in situations where multiple, often conflicting, criteria need to be considered when assessing options. The first research question investigated what a good FEWS looks like in the West African context.

The second and broader objective explored the relevance of using MCDA as a participatory and transdisciplinary approach for a large project potentially benefiting millions of people across several countries. The participatory process was designed around three key project phases and implemented through a series of stakeholder workshops (Figure 2).

During the first phase of co-designing, stakeholders developed a joint understanding of the problems of existing flood warning systems. They came to a consensus on objectives that were needed to prioritise functions in the warning system. The second phase focused on knowledge co-production, where scientific and societal perspectives and practitioners’ expertise from different sectors were integrated.

The aim of MCDA was to design a FEWS in a way that best meets the objectives and preferences of all stakeholders. During the final stage of co-dissemination and evaluation, the aim was to translate the knowledge produced into solution-oriented and scalable products.

From the co-designing phase, ten objectives emerged as fundamentally important to stakeholders, clustered into four groups. These were clarity and accuracy of information, reliable and timely information access, affordability of production development and operation, and long-term financial and operational sustainability of the early warning system (Figure 4). The ten objectives received different weights depending on their importance to stakeholders.

Of the eleven versions of FEWS that were created by stakeholders and the FANFAR consortium, three were assessed to be well-performing and robust. One version, for example, could function with relatively minimal resources such as poor internet connectivity, unstable power supply and a limited number of skilled personnel. It suggests the FEWS should be simple and robust rather than incorporating many complex features.

MCDA was particularly helpful in focusing on stakeholders’ values. It helped in navigating and reconciling conflicting stakeholder preferences. MCDA was also helpful for knowledge co-production by providing clarity on stakeholder preferences, incorporating diverse perspectives from different disciplines and assessing different FEWS versions despite uncertain data.

The uptake of the FANFAR FEWS in West Africa will depend on a multitude of other factors. These include operational data collection, strategies to increase local capacity, securing long-term funding for operations, maintenance, and technical development. Local and regional governance structures also play an important role. However, because it was built on a common understanding of contextual challenges among diverse stakeholders, we believe the resultant FEWS will be useful to stakeholders from different regions, sectors and professional backgrounds.

 

[Source: Lienert, J. et al. (2022) 'How to co-design a flood early warning system (FEWS) for West Africa' Water Science Policy, doi: https://dx.doi.org/10.53014/CBJJ5560]
Leave a comment , , ,

Study uses AI to predict fragility of power grid networks - double trouble when 2 disasters strike electrical transmission infrastructure

Industry News, Power/Energy/Oil & Gas sector

One disaster can knock out electric service to millions. A new study suggests that back-to-back disasters could cause catastrophic damage, but the research also identifies new ways to monitor and maintain power grids.

Researchers at The Ohio State University have developed a machine learning model for predicting how susceptible overhead transmission lines are to damage when natural hazards like hurricanes or earthquakes happen in quick succession.

An essential facet of modern infrastructure, steel transmission towers help send electricity across long distances by keeping overhead power lines far off the ground. After severe damage, failures in these systems can disrupt networks across affected communities, taking anywhere from a few weeks to months to fix.

The study, published in the journal Earthquake Engineering and Structural Dynamics, uses simulations to analyze what effect prior damage has on the performance of these towers once a second hazard strikes. Their findings suggest that previous damage has a considerable impact on the fragility and reliability of these networks if it can’t be repaired before the second hazard hits, said Abdollah Shafieezadeh, co-author of the study and an associate professor of civil, environmental and geodetic engineering.

“Our work aims to answer if it’s possible to design and manage systems in a way that not only minimizes their initial damage but enables them to recover faster,” said Shafieezadeh.

The machine learning model not only found that a combination of an earthquake and hurricane could be particularly devastating to the electrical grid, but that the order of the disasters may make a difference. The researchers found that the probability of a tower collapse is much higher in the event of an earthquake followed by a hurricane than the probability of failure when the hurricane comes first and is followed by an earthquake.

That means while communities would certainly suffer some setbacks in the event that a hurricane precedes an earthquake, a situation wherein an earthquake precedes a hurricane could devastate a region’s power grid. Such conclusions are why Shafieezadeh’s research has large implications for disaster recovery efforts.

“When large-scale power grid systems are spread over large geographic areas, it’s not possible to carefully inspect every inch of them very carefully,” said Shafieezadeh. ”Predictive models can help engineers or organizations see which towers have the greatest probability of failure and quickly move to improve those issues in the field.”

After training the model for numerous scenarios, the team created “fragility models” that tested how the structures would hold up under different characteristics and intensities of natural threats. With the help of these simulations, researchers concluded that tower failures due to a single hazardous event were vastly different from the pattern of failures caused by multi-hazard events. The study noted that many of these failings occurred in the leg elements of the structure, a segment of the tower that helps bolt the structure to the ground and prevents collapse.

Overall, Shafieezadeh said his research shows a need to focus on re-evaluating the entire design philosophy of these networks. Yet to accomplish such a task, much more support from utilities and government agencies is needed.

“Our work would be greatly beneficial in creating new infrastructure regulations in the field,” Shafieezadeh said. “This along with our other research shows that we can substantially improve the entire system’s performance with the same amount of resources that we spend today, just by optimizing their allocation.”

This work was supported by the Korea Institute of Energy Technology Evaluation and Planning (KETEP) and the Ministry of Trade, Industry & Energy of the Republic of Korea (MOTIE).

Leave a comment , , ,

WMO issues guidelines on coastal flooding early warning systems

Industry News, Power/Energy/Oil & Gas sector, Water sector

New WMO Guidelines on the Implementation of a Coastal Inundation Forecasting Early Warning System offer solid and practical advice for countries, donors and experts seeking to set up early warning systems against an increasing hazard.

The guidelines are a contribution to the UN Early Warnings for All initiative and reflect the high priority needs of small island developing States (SIDS) and Least Developed Countries that are particularly vulnerable to these coastal hazards.

“The severity of the impacts of disasters, especially on coastal communities, is well known and documented. A contributing factor is the increasing intensity and frequency of meteorological and oceanographical hazards caused by climate change, including sea-level rise, which can seriously affect SIDS and other coastal nations,” state the guidelines.

“It is critical to recognize that coastal inundation can result from single or multiple hazards, and that it is being exacerbated by the impacts of climate change, especially associated with sea-level rise."

“Coastal inundation events are an increasing threat to the lives and livelihoods of people living in low-lying, populated coastal areas. Furthermore, the issues for most countries that have vulnerable coastlines are the increasing level of development for fishing, tourism and infrastructure, and the sustainability of their communities,” it says.

The new guidelines were presented during a side event during WMO’s Commission for Weather, Climate, Water and Related Environmental Services and Applications (SERCOM), attended by more than 140 participants from all over the globe, including the South Pacific, the Caribbean, and Africa.

WMO is grateful to the Climate Risk and Early Warning Systems Initiative and the Korean Meteorological Administration for financial support.

These guidelines are based on the successful implementation of demonstration systems in four countries between 2009 and 2019 through the Coastal Inundation Forecasting Demonstration Project, which included a special focus on Pacific islands. They also incorporate key principles of WMO's Flash Flood Guidance System (FFGS) and the Severe Weather Forecast Programme.

The aim is to be a “one-stop” shop that countries can follow to prepare and implement their own coastal inundation forecasting early warning system. It provides a straightforward 10 step process with templates featuring policy, management and technical processes that countries or regions can use to build their own early warning system, from vision through to “go-live” implementation. As such information is not always readily available in many countries, these guidelines have concentrated on these features in developing and building a system, including necessary information for sponsors and advice on the resources necessary for success.

The Guidelines are also a registered activity of the United Nations Decade of Ocean Science for Sustainable Development.

Leave a comment , , , ,

ASEAN Framework on anticipatory action in disaster management

Industry News, Water sector

The ASEAN Framework on Anticipatory Action in Disaster Management provides guidance for defining and contextualising anticipatory action at the regional level with some considerations for its implementation by Members of the Association of Southeast Asian Nations (ASEAN). This Framework outlines three building blocks of anticipatory action and proposes a Plan of Action for 2021–2025 with the primary aim to streamline anticipatory action in disaster risk management (DRM) through joint regional efforts. The implementation of the action plan will strengthen the ASEAN’s vision of building disaster-resilient nations and communities.

It aims to help advance implementation of anticipatory actions in the ASEAN region while supporting ASEAN in spearheading a common language, objectives and ambition for the global community working on anticipatory action. It represents a landmark commitment from ASEAN to move the anticipatory action agenda forward in the subregion in support of a climate-resilient future. It should be seen as a vehicle to accelerate regional policies and support ASEAN in implementing global frameworks, including the Sendai Framework for Disaster Risk Reduction, the Paris Agreement on Climate Change, and the Sustainable Development Goals (SDGs). An anticipatory approach can achieve these commitments by addressing the humanitarian–development nexus and gaps between disaster risk management and climate change adaptation, maximising climate science and disaster risk finance.

Leave a comment , , , ,

TSA issues new cybersecurity requirements for passenger and freight railroad carriers

Agency News, Industry News, Transport sector

The Transportation Security Administration (TSA) announced a new cybersecurity security directive regulating designated passenger and freight railroad carriers. Today’s announcement demonstrates the Biden-Harris Administration’s commitment to strengthen the cybersecurity of U.S. critical infrastructure. Building on the TSA’s work to strengthen defenses in other transportation modes, this security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.

Developed with extensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), this Enhancing Rail Cybersecurity – SD 1580/82-2022-01 strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.

“The nation’s railroads have a long track record of forward-looking efforts to secure their network against cyber threats and have worked hard over the past year to build additional resilience, and this directive, which is focused on performance-based measures, will further these efforts to protect critical transportation infrastructure from attack,” said TSA Administrator David Pekoske. “We are encouraged by the significant collaboration between TSA, FRA, CISA and the railroad industry in the development of this security directive.

The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;
2. Create access control measures to secure and prevent unauthorized access to critical cyber systems;
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Passenger and freight railroad carriers are required to:

1. Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive.
2. Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.

This is the latest in TSA’s performance-based security directives; previous security directives include requirements such as reporting significant cybersecurity incidents to CISA, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and completing a cybersecurity vulnerability assessment. Through this security directive, TSA continues to take steps to protect transportation infrastructure in the current threat environment. TSA also intends to begin a rulemaking process, which would establish regulatory requirements for the rail sector following a public comment period.

To view TSA’s security directives and guidance documents, please visit the TSA cybersecurity toolkit.

Leave a comment , , , ,

Burying short sections of power lines could drastically reduce hurricanes' impact on coastal residents

Industry News, Power/Energy/Oil & Gas sector

Princeton researchers funded by the U.S. National Science Foundation investigated the risk of this compound hazard occurring in the future under a business-as-usual climate scenario, using Harris County, Texas, as one example. They estimated that the risk of a hurricane-blackout-heat wave lasting more than five days in a 20-year span would increase 23 times by the end of the century.

But there is good news: Strategically burying just 5% of power lines — specifically those near main distribution points — would almost halve the number of affected residents.

"The results of this work, part of NSF's Coastlines and People Megalopolitan Coastal Transformation Hub, show the value of convergence science approaches for developing actionable solutions to society's major challenges, such as the increasing frequency of storm events," says Rita Teutonico, director of NSF's CoPe program.

Heat waves are among the deadliest types of weather events and can become even more dangerous when regions that rely on air conditioning lose power. Historically, a heat wave following a hurricane has been rare because the risk of extreme heat usually passes before the peak of the Atlantic hurricane season in late summer. As global temperatures rise, however, heat waves are expected to occur more often and hurricanes are likely to become more common and more severe, increasing the odds of hurricane-blackout-heat wave events.

"Hurricane Laura in 2020 and Hurricane Ida in 2021 both had heat waves following them after they destroyed the power distribution network," said Ning Lin, a civil and environmental engineer who led the study. "For this compound hazard, the risk has been increasing, and it is now happening."

In a new study, published in Nature Communications, Lin and co-authors looked at the risks associated with the compound hazard and how infrastructure changes could mitigate the potentially deadly effects. They combined projections of how often and when hurricanes and heat waves would strike in the future with estimates of how quickly power could be restored in areas with outages after a major storm.

The team chose Harris County — the home of Houston — as their model county because it has the highest population density of any city on the Gulf Coast. Hurricanes Harvey and Ike both walloped Houston, causing an estimated 10% of residents to lose power.

The team also considered power grid improvements that would reduce the impact of a hurricane-blackout-heat wave for residents. Burying 5% of wires near the roots of the distribution network would reduce the expected percentage of residents without power from 18.2% to 11.3%.

"Mostly, our current practice is randomly burying lines," Lin said. "By burying lines more strategically, we can be more efficient and more effective at reducing the risk."

Leave a comment , , ,

The importance of early warning systems in disaster risk reduction

Agency News, Industry News, Water sector

It is not enough for an early warning system to correctly identify an incoming hazard, it must also ensure that the populations and sectors that are at risk can receive the alert, understand it, and most importantly, act on it.

Disasters, increasingly frequent and intense, have become a major issue requiring urgent action. In 2021, 432 catastrophic events took place, incrementing the average of 357 annual catastrophic events recorded in 2001-2020. Only last year, 101.8 million people were affected worldwide, and the economic losses amounted to 252.1 billion US dollars.

The impacts of a disaster are often unequally distributed, affecting disproportionately the most vulnerable. These events cause a disruption in the economy and livelihoods of people, producing dramatic socio-economic downturns that hamper short-term recovery and long-term development. On this basis, the promotion of resilience to face all kinds of shocks and stresses is considered a key element for the global development agenda.

In line with this perspective, and in accordance with its mandate, the International Labour Organisation (ILO) has focused on building resilience through the promotion of employment and decent work.

In order to achieve this, the ILO works with its tripartite constituents – governments and employers’ and workers’ organizations – to develop a response to disasters that can answer immediate needs, but also deploy a long-term vision to build resilience for risk management through employment-centred measures. These include skills development, job creation through employment-intensive investments, enterprise support and business continuity management, among others.

This year, the International Day for Disaster Risk Reduction focuses on early warning systems, a fundamental element to decrease the destructive impacts of a disaster. An effective early warning is capable of saving many lives and reducing damage by 30% if activated 24 hours before the event. However, today, one-third of the world’s population, mainly in the least developed countries, is still not covered by early warning systems.

The purpose of early warning systems is mitigating the risk produced by disasters, but these risks are compounded by the socio-economic vulnerability of the population exposed to the hazards. In this context, early warning systems must be inclusive and sensitive to the different sources of vulnerability. As indicated by the United Nations Office for Disaster Risk Reduction (UNDRR) , these systems must be people-centred, end-to-end, and multi-hazard.

Early warning systems play a significant role in the world of work. By disseminating timely and accurate information regarding disaster risk, they enable preparedness action as well as a rapid response from workers, employers, and national or local authorities, and can therefore prevent human and economic losses in the workplace. For instance, farmers, pastoralists, fishers, and foresters are among the most-at-risk communities to disasters. Moreover, early warning systems can also play a crucial role in decent work, as part of the occupational health and safety standards in disaster-prone countries.

Early warning systems are essential to prepare and respond effectively in the short term, corresponding to the first stages of disaster management. Moreover, the implementation of such systems can also contribute to building resilience, as enhancing preparedness strengthens the capacity to recover rapidly, and reduces vulnerability.

Leave a comment , , , ,

Forest fires: €170 million to reinforce rescEU fleet

Agency News, Health & Social Care, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector, Water sector

Following a record-breaking forest fire season in Europe, the Commission is proposing today €170 million from the EU budget to reinforce its rescEU ground and aerial assets  starting from the summer of 2023. The rescEU transitional fleet would therefore have a total of 22 planes, 4 helicopters as well as more pre-positioned ground teams. As from 2025, the fleet would be further reinforced through an accelerated procurement of airplanes and helicopters.

Commissioner for Crisis Management Janez Lenarčič said: "Due to climate change the number of regions affected by wildfires is increasing, going beyond the traditionally affected Mediterranean countries. The last summers have clearly shown that more firefighting assets are needed at EU-level. By building up our fleet of aerial means and ground forces, the EU will be able to ensure a prompt, flexible response, including in situations where fires are burning in multiple Member States at the same time.”

Commissioner for Budget and Administration, Johannes Hahn said: “While the record-breaking forest fires this summer may have been overshadowed by other crises, today's proposal to reinforce rescEU shows that the EU budget will continue to support those in need. European solidarity across EU Member States remains strong and we are ready to support this solidarity with financial means.”

Wildfires in the EU are increasing in scope, frequency, and intensity. By 1 October, the data for 2022 reveal a 30% increase in the burnt area over the previous worst year recorded (2017) and a more than 170% increase over the average burnt area since EU-level recording started in 2006.

This season, the Emergency Response Coordination Centre  received 11 requests for assistance for forest fires. 33 planes and 8 helicopters were deployed across Europe via the EU Civil Protection Mechanism, which were joined by over 350 firefighters on the ground. In addition, the EU's emergency Copernicus satellite provided damage assessment maps of the affected areas.

Leave a comment , , ,

CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection

Agency News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks, that directs federal civilian agencies to better account for what resides on their networks.

Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices. The Biden-Harris Administration and Congress have supported significant progress by providing key authorities and resources. This Directive takes the next step by establishing baseline requirements for all Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA on defined intervals.

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”

CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies. Implementation of this Directive will significantly increase visibility into assets and vulnerabilities across the federal government, in turn improving capabilities by both CISA and each agency to detect, prevent, and respond to cybersecurity incidents and better understand trends in cybersecurity risk.

This Directive is a mandate for federal civilian agencies. However, CISA recommends that private businesses and state, local, tribal and territorial (SLTT) governments review it and prioritize implementation of rigorous asset and vulnerability management programs.

The new Directive can be found at Binding Operational Directive (BOD) 23-01.

Leave a comment ,
1 10 11 12 13 14 54