I cannot begin to stress how critical having an inventory of assets is to everything. The foundation for being able to establish a network baseline, identify anomalies, and respond to incidents all require the functionality of a useful inventory. And I don’t mean having your people go around with a printed out Excel sheet, physically verifying devices and serial numbers… I remember the days as a young Airman physically checking off serial numbers and validating whether devices are in the proper room. This method introduces human error and doesn’t help to validate if the proper devices (or rogue devices) are even connected to the network.
When you consider assets, you have to think about both physical devices and the software components that exist within them. With proper inventory management, vulnerabilities such as Log4j should take less than 30 seconds to determine if and where it exists within your environment. You should also be able to identify when rogue devices connect to your network. Most importantly of all, when the configuration is setup, it will save your analysts and administrators a massive amount of time while actually keeping your network more secure.
The memo also requires formal participation in the Continuous Diagnostics and Mitigation CDM program:
As directed by EO 14028, Federal civilian agencies must have formalized their participation in CDM via a memorandum of agreement with DHS. Agencies must create ongoing, reliable, and complete asset inventories, including by leveraging the CDM program.
The CDM program was established back in 2012 and provides a lot of overlapping capabilities that may assist your transition to a Zero Trust environment. At a high level, the program works to assist in these five key program areas:
Agency and Federal Dashboards
Identity and Access Management
Network Security Management
Data Protection Management
Do these sound familiar to CISA’s Zero Trust pillars? Yeah, I thought so too. While the term Zero Trust is getting a lot of attention, many of the core security concepts remain exactly the same. ZTA introduces some additional compliance components, but ultimately should just be an advancement of your current security approach.
More information on the CDM program can be found here: CISA Continuous Diagnostics and Mitigation
If you have already made some transition to the cloud, inventory of those assets is much simpler as most cloud providers make this process considerably easier. CISA will also be developing a program to better assist with cloud-oriented Federal architecture as noted in the memo:
This is especially practical in cloud environments with rich, granular, and dynamic permission systems. CISA will work toward developing the CDM program to better support a cloud-oriented Federal architecture. For example, CISA may choose to support automated asset discovery using the technical interfaces offered by many commercial cloud infrastructure providers.
Resources Inventorying Assets