PUBLIC SECTOR

Splunk for CISA Directives: Enabling Rapid Response and Ongoing Risk Exposure Assessments

In late January of this year, a few team members and I spent a Redbull®-fueled 36 hour sprint building out a process and Splunk prototype to help organizations implement a rapid-response to CISA Emergency Directive 19-01.

Once that was built and proven out, we spent the better part of February working with several customers to implement the prototype solution to address this emergency directive in their environments.

While working alongside these customers on the 19-01 deployments, there were three key themes we observed that customers needed help with:

  1. Quickly establishing a business process for assessment and continuous monitoring of the technical guidance from CISA directives.
  2. Maintaining an understanding of the applicable technical data due to the constant changes in their environments.
  3. Gaining holistic visibility across all relevant assets in their environment.

Recognizing that these themes impacted multiple customers led us to prioritize the development of a solution that addresses the “back catalog” of CISA directives for our May release cycle—we’re calling it Splunk for CISA Directives.

As with our response to CISA Emergency Directive 19-01, the Splunk for CISA Directives solution provides prescriptive capabilities that address the technical guidance from CISA.This solution enables:

  1. Continuous monitoring (CONMON) of technical guidance provided in CISA directives 16-02, 17-01, 18-01, 18-02, 19-01, and 19-02
  2. Flexible analytics and visualizations that dynamically accommodate architectural or source data changes across your environment
  3. Comprehensive, single pane-of-glass views into organizational cyber risk items prioritized in technical guidance provided in CISA directives.


To learn more about our approach and benefits your organization could realize from this solution:

In the meantime, you can read or download the Splunk for CISA Directives tech brief.

If you want to talk to an expert or have additional questions, please send a note to cisa_directives@splunk.com and we’ll make sure you’re connected with the right people on our team.


Well-informed readers have probably noticed that Binding Operational Directive (BOD) 16-03, the “Annual FISMA CIO Metrics” directive, was excluded from the Splunk for CISA Directives solution.

Why not include the Annual FISMA CIO Metrics reporting in this solution?

In the spirit of openness (a Splunk core value), I’ll share that there was considerable debate around this within my team as we were scoping out the development of Splunk for CISA Directives. In the end, we wanted to meet an end of April / early May release deadline and had to cut BOD 16-03. I should add that BOD 16-03 remains very much on my mind.

Last fall, we released the Splunk Compliance Analytics solution to help organizations address FISMA, DFARS, and RMF operational monitoring requirements. The CONMON / operational monitoring component of this solution is a perfect fit for rapid operationalization of technical controls monitoring, but does not address the “downstream reporting” requirements mandated in 16-03.

Having both the Splunk Compliance Analytics solution for CONMON / operations and a BOD 16-03 solution for Annual FISMA CIO Metrics reporting would be a natural path forward for holistic monitoring and reporting on technical controls mandated in CISA Directives.

Let us know if a pre-built, prescriptive solution for reporting on the Annual FISMA CIO Metrics would be valuable for your organization. If there is enough interest from customers on this, we may add be able to prioritize 16-03 into a future production cycle.

Anthony Perez
Posted by

Anthony Perez

Anthony is Director of Field Technology for Splunk’s public sector headquarters in Mclean, Virginia.  Prior to joining Splunk, Anthony spent several years at a global consulting firm where he led the development and execution of novel approaches for aggregating, analyzing, and assessing cyber threats to US interests.

Mr. Perez is a graduate of the Whiting School of Engineering at Johns Hopkins University and holds an M.S. in Information Systems specializing in Security.

Join the Discussion