The Cybersecurity and Infrastructure Security Agency (CISA) published the Cyber Defense Plan for Remote Monitoring and Management (RMM), the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC) as part of our 2023 Planning Agenda. This Plan provides a clear roadmap to advance security and resilience of the RMM ecosystem and further specific lines of effort in the National Cyber Strategy to scale public-private collaboration and in the CISA Cybersecurity Strategic Plan to drive adoption of the most impactful security measures.
Organizations across sectors leverage RMM products to gain efficiencies and benefit from scalable services. These same benefits, however, are increasingly targeted by adversaries – from ransomware actors to nation-states – to compromise large numbers of downstream customer organizations. By targeting RMM products, threat actors attempt to evade detection and maintain persistent access, a technique known as living off the land.
Part of our 2023 Planning Agenda, the RMM Cyber Defense Plan provides a clear roadmap to advance security and resilience of this critical ecosystem, including RMM vendors, managed service providers (MSPs), managed security service providers (MSSPs), small and medium sized businesses (SMBs), and critical infrastructure operators. This Plan was developed through a multi-month process that leveraged deep expertise by vendors, operators, agencies, and other stakeholders, and has already resulted in a significant deliverable with publication of our joint advisory on Protecting Against Malicious Use of Remote Monitoring and Management Software.
The RMM Cyber Defense Plan is built on two foundational pillars, operational collaboration and cyber defense guidance, and contains four subordinate lines of effort:
(1) Cyber Threat and Vulnerability Information Sharing: Expand the sharing of cyber threat and vulnerability information between U.S. government and RMM ecosystem stakeholders.
(2) Enduring RMM Operational Community: Implement mechanisms for an enduring RMM operational community that will continue to mature scaled security efforts.
(3) End-User Education: Develop and enhance end-user education and cybersecurity guidance to advance adoption of strong best practices, a collaborative effort by CISA, interagency partners and other RMM ecosystem stakeholders.
(4) Amplification: Leverage available lines of communication to amplify relevant advisories and alerts within the RMM ecosystem.
“As envisioned by Congress and the Cyberspace Solarium Commission, JCDC Cyber Defense Plans are intended to bring together diverse stakeholders across the cybersecurity ecosystem to understand systemic risks and develop shared, actionable solutions. The RMM Cyber Defense Plan demonstrates the criticality of this work and the importance of both deep partnership and proactive planning in addressing systemic risks facing our country,” said Eric Goldstein,CISA Executive Assistant Director for Cybersecurity. “These planning efforts are dependent on trusted collaboration with our partners, and this Plan was a true partnership with the RMM community, industry and interagency partners that contributed time and effort towards this important work. The collaboration established to develop this plan has already achieved several accomplishments for RMM stakeholders and ecosystem. As the JCDC leads the execution of this plan, we are confident that this public-private collaboration in the RMM ecosystem will further reduce risk to our nation’s critical infrastructure.”
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, commented:
“This is a humongous important initiative that CISA and its partners have announced. It will likely have a sweeping impact across future generations and significantly reduce cybersecurity risk, especially in the industrial and mission-critical infrastructure space. Why? Because remote management systems have been a multi-decade, continuous, never-stopping weakness in our systems. A weakly coded or configured remote interface can bypass all the other protections put around a system. It happens all the time. CISA, with its partners, is putting together a comprehensive approach to decreasing remote management risk using a combination of people, processes, and tools. I'm especially delighted to see an entire tier devoted to education because that's usually the missing mission-critical tier that is missing in most responsive defensive plans. Not this time. Only time will tell if what CISA is announcing here will return the expected dividends, but the ideas and framework for great success are put in place. I once again give big kudos for what CISA is bringing about.”
The JCDC 2023 Planning Agenda is a forward-looking effort that is bringing together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. To learn more about the JCDC, visit CISA.gov/JCDC.
All organizations are encouraged to review the JCDC RMM Cyber Defense Plan.