Call us now:
As cyberattacks have intensified in volume and sophistication, the need for more prescriptive guidance is clear.
Initiatives like Executive Order 14028 and CISA’s Binding Operational Directive 23-1 have heightened scrutiny and accountability for security leaders tasked with ensuring network security and compliance. This guidance helps government entities and private sector organizations navigate the threat landscape and improve their security posture. However, diverse directives from the White House, the National Security Agency (NSA), the Department of Homeland Security (DHS), the Securities and Exchange Commission (SEC), and other government entities create confusion over which guidance to follow.
As we navigate the various federal guidelines, it’s important to remember that you’re not alone in this struggle. Security professionals across the board are grappling with legacy tools, siloed security applications, the time-consuming nature of data collection and analysis, and the scarcity of skilled security personnel. These are all factors that complicate efforts to gain comprehensive network insights and prove compliance.
Vulnerability management is complex and overwhelming for most agencies, often competing with a slew of information from various vendor sources. I like focusing on the basics. The National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data, is one of the most important sources of truth worldwide and a good place to start.
Maintained by the National Institute of Standards and Technology and sponsored by DHS’s National Cybersecurity and Communications Integration Center, the NVD provides detailed analysis and scoring of Common Vulnerabilities and Exposures (CVEs) to help organizations prioritize their response to vulnerabilities. They also publish the Known Exploited Vulnerabilities Catalog which is a great supplement. In 2024 NIST has already issued nearly 35,000 alerts; agencies need to understand which CVEs are relevant to their network and their degree of exposure.
Private sector CISOs and federal agencies face the dilemma of complying with complex regulatory requirements within limited timeframes and budgets. Executive orders, for instance, are often issued without fiscal budget backing, forcing security leaders to assess their existing systems and contracts to determine if current infrastructure investments will support the new requirements and identify which legacy systems must be updated or removed from the network.