This post appears as part of a series about the foundations of the DHS CDM Program. In the first and second blog, we covered what the DHS CDM Program is all about, and explored the first two foundational elements – hardware asset management (HWAM) and software asset management (SWAM). In today’s blog, we take a close look at the CDM capability specific to vulnerability management (VUL).
What’s CDM VUL?
As federal agencies adopt and mature CDM capabilities, they’re still finding challenges related to asset management (both hardware and software) and the ability to uniquely track, accurately verify, and validate data attributes associated with agency devices.
The CDM Vulnerability Management (VUL) supports the ongoing assessments of a grouping of security controls that are employed to give organizations visibility into the:
- Known vulnerabilities present on their networks
- Delay or prevent entry of malicious or compromised software from being installed on the network
- Reduce the number of easy-to-compromise devices due to vulnerable software
- Delay or prevent vulnerable software from being used to gain access to other parts of the network
In short, CDM VUL helps protect your assets from new and known software vulnerabilities. VUL joins with HWAM, SWAM, configuration settings management (CSM), and enterprise mobility management (EMM) to make up the asset management capabilities of the CDM program.
CISA outlines 3 key vulnerability management practices to ensure your agency is protected and compliant with CDM guidelines.
VUL Practice 1: Threat and Vulnerability Information Is Received From Information Sharing Forums and Sources
The first practice for VUL is to receive threat and vulnerability information from various sources including information sharing forums, third-party vendors, and government sources like the National Vulnerability Database (NVD), which contains a list of common vulnerabilities and exposures (CVE).
When agencies are putting this practice into place, CISA recommends asking questions such as:
- Do we acquire vulnerability/threat information and data from external sources?
- How do we communicate threat and vulnerability information with selected external organizations and groups (e.g., US-CERT)?
- Do we communicate and maintain ongoing information sharing on threats and vulnerabilities with other components and departments and agencies?
Asking these questions of your own capabilities and operations helps your team ensure they have the data and information needed for vulnerability management. Effective vulnerability management is dependent on two things:
- Knowing what devices and software is running on your network
- Having an up-to-date list of known vulnerabilities
VUL Practice 2: A Vulnerability Management Plan Is Developed and Implemented
While Practice 1 focuses on ensuring your security and compliance teams have the data they need, Practice 2 looks at your agency’s processes around vulnerability management.
Having a vulnerability management plan enables your agency to scale vulnerability responses and aids in maintaining internal and external SLAs.
Practice 2 is intended to help departments and agencies understand their protocols for how they put the data gathered in Practice 1 into effect. For example, when a new vulnerability is identified, what tools does our team use to evaluate its potential impact? Is there one centralized source of the truth for our asset information? How long does it take for our team to identify and address impacted devices and users? How are different assets and vulnerabilities prioritized?
Practice 2 also prods agencies to evaluate their team operations concerning vulnerability management. This looks at how the process of vulnerability management itself is documented and communicated in a department or agency. For instance, if the last time your vulnerability management procedures were updated was before March 2020’s rapid shift to remote work, it may be time to review them to ensure they are keeping up with your BYOD policy.
A great way to evaluate your current processes is to look at their effectiveness. While it’s hard to determine the exact causal relationship between good processes and not being breached, one metric to track over time to evaluate your vulnerability management processes is the number of vulnerabilities left unpatched.
VUL Practice 3: Vulnerability Scans Are Performed
The goal of Practice 3 is to ensure that vulnerability scanners are used in accordance with best practices. This practice builds on the previous two. It relies on accurate, up-to-date asset, software, and vulnerability data, to power a vulnerability scanning tool. It also encourages agencies to evaluate how vulnerability scanners fit into their current VUL operations.
A great metric to help agencies ensure their vulnerability scanners are effective is to look at their coverage. CISA recommends considering this question and the frequency of your schedule vulnerability scans to help agencies improve this practice. Scans performed at the right intervals, with the right coverage, deliver the input to your vulnerability management plan (Practice 2). Your plan should outline a repeatable process for putting the results of your scans into action to make your agency more secure.
How Can Cybersecurity Asset Management Help With VUL?
Cybersecurity asset management solutions, like Axonius, help agencies improve their vulnerability management practices. Axonius connects to hundreds of IT and security tools to correlate data about hardware and software assets, users, and vulnerabilities. Agencies use Axonius to:
- Gain a comprehensive, up-to-date asset inventory
- Correlate vulnerability severity levels with asset criticality to inform prioritization
- Understand vulnerability assessment frequency and coverage
- Automatically add newly discovered assets to scheduled scans
What’s more, Axonius is a DHS CDM-approved vendor for asset management.