The White House OMB Memo M-24-04 and What It Means for IoT Security
In March 2023, the Biden Administration released the National Cybersecurity Strategy that provided timelines and details to support the defense and modernization of Federal systems. Since the release of Executive Order 14028, Improving the Nation’s Cybersecurity (EO), various agencies have published guidance documents to help Federal Civilian Executive Branch (FCEB) agencies navigate these new initiatives.
On December 4, 2023, the Office of Management and Budget (OMB) released M-24-04, Fiscal Year 2024 Guidance on Federal Information Security and Privacy Management Requirements, providing agencies with reporting guidance and deadlines. Interestingly, within this document, the OMB also outlined several initiatives related to Internet of Things (IoT) devices, establishing new compliance issues for agencies and, likely, the supply chain that supports them.
What is OMB M-24-04?
As agencies strive to implement these required changes, OMB M-24-04 (Memo) focuses on ways that the Administration can use data that agencies submit as part of their Federal Information Security Management Act (FISMA) compliance requirements.
This Memo follows up on the EO, OMB Memorandum M-22-09, Moving the U.S.
Government Toward Zero Trust Cybersecurity Principles, and OMB
Memorandum M-22-16, Administration Cybersecurity Priorities for the FY 2024 Budget.
This guidance specifically focuses on:
- Measuring zero trust progress: aligning FISMA performance with benchmarks for implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework and zero trust implementation strategies
- Obtaining clear, actionable, and outcome-focused data: continuing to focus and prioritize limited resources on automated tools for collecting data in a machine-readable format
- Getting input from across the Federal enterprise: working with the CISO Council’s FISMA Metrics Subcommittee to prioritize metrics, incorporate Continuous Diagnostic and Mitigation (CDM) data into FISMA reporting, and recommend additional ways to capture information
- Improving security-privacy coordination: coordinating more purposefully across these independent, separate yet closely related disciplines.
The OMB then divided the Memo into the following sections:
- Section 1: Increasing Coordination with and Visibility of Continuous Diagnostics and Mitigation Capabilities
- Section 2: Internet of Things
- Section 3: Requirements for FISMA Reporting to OMB and DHS
- Section 4: CIO Reporting
- Section 5: IG Reporting
- Section 6: SAOP Reporting
- Section 7: Agency Head Letter for Annual Reporting Requirement to OMB
- Section 8: Annual Reporting to Congress and the Government Accountability Office
- Section 9: Incident Reporting Requirements
- Section 10: Contact Information and Additional Resources
Although IoT might seem like only one small part of this Memo, the reality is that the metrics defining reporting incorporate identifying, securing, and managing these devices. To achieve the EO’s and National Cybersecurity Strategy’s objectives, agencies and their supply streams should understand how to gauge and manage IoT risks.
A Deep Dive into Section II: Internet of Things
Maturing Federal IoT cybersecurity practices is critical to mitigating risks. The Federal enterprise must implement foundational cyber protections if it wants to improve the overarching security of Federal systems.
Scoping and Definitions of Internet of Things Devices and Operational Technology
In response to the Internet of Things Cybersecurity Improvement Act of 2020 (IoT Act), NIST published guidelines and standards for managing IoT security. The Memo references NIST’s definition of IoT, scoping out the following as devices that fall within these categories as ones that:
- Have at least one sensor or actuator
- Interact directly with the physical world
- Have at least one network interface (Ethernet, Wi-Fi, Bluetooth)
Further, the Memo notes that many IoT devices can fall within NIST’s definition of operational technology (OT), citing the following examples:
- Industrial control systems
- Building management systems
- Fire control systems
- Physical access control mechanisms
IoT Inventory
After spending two years learning about the various types of IoT devices that the Federal Government uses, the OMB determined that agencies must prioritize creating inventories that document the IoT devices that collect and exchange data with other devices and systems.
These IoT inventories should contain the following information for each device type:
- Asset Identification
- Asset Description
- Asset Categorization
- Owner/Point of Contact
- Vendor/Manufacturer Information
- Software/Firmware Versions
- Network Connectivity, Integrations, and API Information
- Security Controls
Best Practices
Within four months from the Memo’s publication date, the CISO Council will establish a working group to provide specialized IoT and OT security best practices.
IoT Waiver Process
Under the IoT Act, agency Chief Information Officers (CIOs) are generally prohibited from using, procuring, or obtaining any device that prevents compliance with NIST standards or renewing any contract related to it.
However, the Memo also outlines the following reasons that an agency may obtain a waiver and still use such devices device:
- Interest of national security
- Necessary for research purposes
- Secured using alternative and effective methods appropriate to its function
Asimily Enables Compliance with Stated OMB Inventory and Reporting Requirements
IoT devices are integral to modernizing FCEB agency systems but create new risks. Simultaneously, the technologies that agencies use to identify, secure, and monitor their traditional IT environments often fail to work for IoT devices. To complicate matters further, IoT and OT technologies often supplement each other’s capabilities, but traditional OT uses different communication rules, syntax, and semantics.
Asimily focused on identifying and security IoT deployments, enabling agencies to monitor their devices and augment their OT-specific service providers.
Inventory
Asimily’s passive scanning solution inspects packets rather than initiating traffic, enabling you to identify and inventory all IoT devices without causing service disruptions. Our platform natively aligns with the OMB’s Asset Description, Asset Categorization, Network Connectivity, Vendor/Manufacturer Information, and Software and Firmware requirements by providing data like:
- Make
- Model
- Configurations
- Operating systems and versions
- Software and versions
- Applications
- IP address
- MAC address
- Port numbers
- Hostname
Asimily’s ability to correlate device data, like IP address or hostname, enables agencies to factor in the following when categorizing their assets:
- Function
- Location
- Criticality
Monitoring
Although the Memo focuses on creating an IoT asset inventory, this process acts as the first step toward incorporating IoT devices into security processes, like vulnerability management and continuous monitoring.
Asimily’s platform goes beyond providing agencies with a way to identify and inventory all IoT assets. It enables them to integrate these devices into their overarching security programs by aggregating and analyzing vulnerability data like:
- Manufacturer-supplied security data
- Open-source software components
- Vulnerability criticality
- Current attack methods using the vulnerability
Already-overburdened agency technology teams can use Asimily to prioritize vulnerability remediation activities, using our simple, short, and effective recommendations for securing IoT devices with alternative and effective methods appropriate to devices’ functions, including things like:
- Deactivating unnecessary services without impacting critical function.
- Blocking risky services with a Network Access Control (NAC) tool.
- Hardening vulnerable devices by updating their configurations.
- Implementing micro-segmenting when altering configurations affects the device operations
As agencies work to secure their converged IoT and OT environments, they need technologies like Asimily to augment their current OT monitoring services. NIST identifies a limited number of IoT devices as OT technologies. However, while some overlap exists, all IoT is not OT and all OT are not IoT. Agencies should look for interoperable technologies that specialize in each unique technology and augment one another for a holistic approach to monitoring.
Incident Detection and Response
Section IX: Incident Reporting Requirements reminds agencies that they must report all incidents to CISA according to current and updated requirements in the CISA Federal Incident Notification Guidelines, expressly noting this includes events under investigation for 72 hours without a successful determination of root cause or nature.
Additionally, it reminds agencies that when reporting Major Incidents, they must provide CISA and the OMB OFCIO of all major incidents or previously reported incidents that turn out to qualify as major incidents within 1 hour of determining that a major incident occurred.
With Asimily, agencies build a layered approach to security that includes their IoT devices while also collecting the forensic data necessary for determining whether an incident qualifies as a major incident. By incorporating IoT data into their monitoring and forensic data capture, agencies can improve detection capabilities and reduce the likelihood that these devices create a blind spot that attackers can use.
Asimily enables agencies to collect and analyze technical forensic data about their IoT devices that they can correlate with other information like:
- RAM information from servers
- Traffic information from network devices
- Data transferred to an FTP server
Asimily: Enhanced IoT Security for FCEB Agencies
Asimily provides holistic context into an agency’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so they can more appropriately prioritize remediation activities.
Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands an agency’s unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.
To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.