On September 16, 2024, the  The Cybersecurity and Infrastructure Security Agency (CISA) published the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan today. As the operational lead for federal cybersecurity, CISA uses this plan to guide coordinated support and services to agencies, drive progress on a targeted set of priorities, and align collective operational defense capabilities. The end result is reducing the risk to more than 100 FCEB agencies. (ref: CISA Releases Plan to Align Operational Cybersecurity Priorities for Federal Agencies | CISA).

As noted by CISA, various government agencies and interconnected systems have independent networks and system architectures, and often have different risk tolerances and risk strategies. However, as the systems are part of the broader critical national interest, it is important to provide some level of standardization in the components of enterprise-sale operational cybersecurity.

As stated by CISA’s Executive Director for Cybersecurity Jeff Greene, “The actions of the FOCAL plan orient and guide FCEB agencies toward effective and collaborative operational cybersecurity and will build resilience. In collaboration with our partner agencies, CISA is modernizing federal agency cybersecurity.”

The FOCAL plan is organized into five (5) priority. Each priority has goals ranging from addressing universal cybersecurity challenges such as managing the attack surface of internet-accessible assets and bolstering cloud security to long-rage efforts including building a defensible architecture that is resilient in the face of evolving security incidents. The priority areas for FCEB agencies are:

• Asset Management – fully understand the cyber environment, including the operational terrain and interconnected assets.
• Vulnerability Management – proactively protect enterprise attack surface and assess defensive capabilities.
• Defensible Architecture – design cyber infrastructure with an understanding that security incidents will happen, and that resilience is essential.
• Cyber Supply Chain Risk Management (C-SCRM) – quickly identify and mitigate risks, including from third parties, posed to federal IT environments.
• Incident Detection and Response – improve the ability of Security Operations Centers (SOCs) to detect, respond to, and limit the impact of security incidents.

In the summer of 2024, Carson & SAINT released SAINT VRM, a transformational, risk-based vulnerability management platform, designed to align vulnerability management with a business content, versus the technology focus that is all too common with traditional cybersecurity technology solutions. With VRM, organizations can bring all business, security and compliance stakeholders together, to ensure that their cyber security investments are aligned with the broader organizational goals, business activities, stakeholder areas of responsibility and overall risk management program. These same VRM capabilities directly align with the FOCAL plan, as government agencies and interconnected system owners can collaborate to map critical assets to business measures unique to their individual requirements and risk tolerances, and customize visual displays to assess risk exposures, with business/agency context, and prioritize response more effectively, based on assets of highest criticality and impact to the business/mission.

SAINT VRM can directly support the five priorities in the following ways:

Asset Management – With VRM, organizations can identify existing and previously unknown assets, and assign business attributes (measures) that are most important to each stakeholder. For example, by Mission area, Location, System Owner, Site, Program, Project, etc., and visualize scan results by Risk level, rather than the narrowly-focused vulnerability severity rating. Risk scores/categories are also computed for each business measure, as well as a global Risk Posture indicator. Risk outcomes are computed by bringing all stakeholder contributions together for Business Impact, and aligning impact with vulnerability severity, current threat intelligence and CISA’s latest research on vulnerabilities that have shown active exploitation around the world. Bringing these critical risk factors together, organizations can assess, not only where they are vulnerable, but how those exposures impact their assets. Whether assets are deployed on premise, at remote locations, across cloud platforms or are more mobile, as in the case of members that work from home or constantly “on the road”, VRM has a solution to identify and track asset risk exposures and correlate those exposures to business-critical asset measures.

Vulnerability Management – SAINT’s VRM solution is the latest generation of offerings, with a linage that goes back to an open-source project in the late 1990’s. SAINT first introduced SAINTscanner in 2001, as one of the world’s first commercially available vulnerability scanning solution. With over 20 years of experience in the industry, SAINT vulnerability research, product development and innovations currently support over 16,000 customers, in over 20 countries. To support this FOCAL objective, VRM uses a combination of technology-driven asset discovery, host “fingerprinting” and automated rules to identify attack surfaces, and enhance asset criticality and risk levels, as asset management is combined with vulnerability scanning outcomes. Vulnerability assessment also goes well beyond known vulnerabilities disclosed on the National Vulnerability Database (NVD). VRM’s assessment capabilities also include configuration assessments based on industry best-practice configuration profiles from NIST, DISA STIGs and CIS. Additionally, VRM can assess web applications, web servers and related technologies for risk exposures, such as cross-site scripting and SQL injection and others, that are not mapped to a specific Common Vulnerability Enumerator (CVE), but often represent a high level of risk to critical web-based systems easily available within an organization’s attack surface. VRM can also identify new assets that have been connected to networks, with a combination of passive asset discovery that is separate from managed and scheduled asset discovery and assessment workflows; and proactive discovery of cloud instances by interoperability with cloud-provider account management repositories, such as those in Microsoft’s Azure and Amazon Web Services (AWS).

Additionally, VRM includes capabilities to assess the effectiveness of cybersecurity training and employee cyber resilience with social engineering tools, such as SMS and email-based phishing tools. As many studies have shown over the years, more than 80% of breaches begin with some type of human weakness or interaction. In a recent study by Stanford University and security firm, Tessian, things the percentage is much higher:

A joint study from Stanford University Professor Jeff Hancock and security firm Tessian revealed that nine in 10 (88%) data breach incidents are caused by employees’ mistakes. The study “Psychology of Human Error” highlighted that employees are unwilling to admit to their mistakes if organizations judge them severely.

To effectively manage risk exposures across the broader vulnerability management landscape, it is important to consider risk exposures, wherever they occur – both technical and non-technical.

Responding and mitigation vulnerabilities and other types of risk exposures is as important or more important, than merely identifying where you are vulnerable. Collectively, the combined capability of 20+ years of vulnerability scanning experience, modern asset discovery and management approaches, inclusion of both technology and human-weakness/social engineering assessment capabilities, and integration of vital information from national organizations, such as NIST, CISA, CIS and others, enables VRM to meet CISA’s FOCAL plan objectives across the first two priorities.

However, the risk-based approach to analysis and prioritization of response to what matters most to the organization, is where VRM provides its high Return on Investment (ROI). While it not considered to be a Security Incident and Event Management (SIEM) platform, decision makers can use VRM to direct critical resources where they offer the highest value and impact on overall risk, to Incident Detection and Response activities.

VRM’s initial release directly aligns with the stated priorities of CISA’s FOCAL plan. However, the roadmap for VRM is just beginning. To learn more about how VRM and other products and services from Carson & SAINT can help your organization in your cyber risk management journey please contact us at be.secure@carson-saint.com.