CISA Requires Federal Civilian Agencies to Secure Network Devices Exposed to Public Internet

The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies to secure their networked management interfaces exposed to the public-facing internet.

In a recently issued binding operational directive, CISA called on the agencies to remove the devices that can be managed remotely via the public internet from their networks. Such devices include routers, switches, firewalls, VPN concentrators, proxies and load balancers.

Networked management interfaces are allowed to remain accessible from the internet if agencies implement access control capabilities that comply with the Trusted Internet Connection 3.0 Capability Catalog and the Zero Trust Maturity Model, among other cybersecurity standards, CISA said.

According to the directive, CISA will scan for devices and interfaces and notify agencies of all findings. The agencies only have 14 days following notification by CISA or discovery of a networked management interface to remove the device or implement a zero trust architecture.

CISA Director Jen Easterly, a two-time Wash100 awardee, said the guidance only applies to the federal civilian enterprise but all organizations are encouraged to adopt the directive to reduce cyber risk and enhance cyber resilience.