The Cybersecurity and Infrastructure Security Agency is mandating government entities to remove dedicated device interfaces from public-facing Internet if such platforms are exclusive to authorized users but accessible through remote network protocols.
The agency on Tuesday issued a binding operational directive to fight cyberthreat campaigns that target improperly configured network devices to hack into sensitive federal data.
The directive applies to devices that reside in networks such as routers, proxy servers, switches, firewalls, VPN concentrators, load balancers and even out-of-band server management interfaces. The network protocols of concern include hypertext transfer protocol and hypertext transfer protocol secure, as well as file transfer protocol, trivial FTP, remote desktop protocol and simple network management protocol.
The mandate does not affect networked management interfaces used for cloud service provider platforms.
CISA is also requiring federal civilian executive branch agencies to implement zero trust architecture to control accessibility to the interfaces.
Federal offices are urged to take action within 14 days of discovering that their interface has been exposed.
“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise,” CISA Director Jen Easterly commented. “Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise,” the Wash100 honoree added.