The Cybersecurity & Infrastructure Security Agency (CISA) has recently issued an advisory urging organizations to review the Federal Communications Commission’s (FCC) list of communications equipment and services deemed by the U.S. government to pose an unacceptable risk to national security. This call to action is part of CISA’s ongoing efforts to secure the nation’s critical infrastructure supply chains against cyber threats. Here’s what you need to know.
CISA is urging all critical infrastructure owners and operators to take necessary steps to secure the most critical supply chains in the country. The agency is calling on organizations to incorporate the covered list into their supply chain risk management efforts to better protect their systems against cyber threats.
In addition to reviewing the FCC’s Covered List, CISA is also recommending that organizations adopt the recommendations outlined in the Defending Against Software Supply Chain Attacks advisory. The joint resource, developed by CISA and the National Institute of Standards and Technology (NIST), provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess and mitigate risks.
By following the guidance provided in the Defending Against Software Supply Chain Attacks advisory, organizations can strengthen their supply chain risk management practices and ensure their systems are protected against the latest cyber threats. The advisory covers a wide range of topics, including identifying critical software components, conducting vulnerability assessments and developing incident response plans.
Vulnerability Scanning Service
CISA is offering a free Vulnerability Scanning service to assist organizations in identifying vulnerable or high-risk devices, such as those on the FCC’s Covered List. The service is designed to help organizations identify potential security vulnerabilities in their systems and provide them with actionable recommendations to remediate the issues.
The Vulnerability Scanning service is part of CISA’s ongoing efforts to help organizations strengthen their cybersecurity posture and reduce their risk of a cyberattack. By taking advantage of this free service, organizations can proactively identify and address vulnerabilities in their systems before cybercriminals can exploit them.
Planning for Equipment Removal
CISA reminds affected U.S. government departments to plan for the removal of their equipment and, in the interim, determine how to ameliorate any adverse effects. This is particularly important for organizations currently using equipment or services on the FCC’s Covered List.
Organizations can minimize the impact of any potential cyber threats by developing a plan for equipment removal and ensuring that their critical infrastructure systems remain secure. This includes identifying alternative equipment or services that can replace high-risk equipment and developing a timeline for the transition.
The recent advisory from CISA highlights the ongoing need for organizations to take proactive steps to protect their critical infrastructure supply chains against cyber threats. By reviewing the FCC’s Covered List, adopting the recommendations outlined in the Defending Against Software Supply Chain Attacks advisory, and taking advantage of the Vulnerability Scanning service, organizations can strengthen their cybersecurity posture and reduce their risk of a cyberattack.