The USGS Hardware Asset Management (HWAM), leveraging the Department of Interior’s HWAM program, is designed to:
- Give organizations visibility into the hardware devices, to include removable media, operating on the network
- Discovers new devices that connect to the network
- Identify all devices actually present
- Address whether the device is authorized on the network
- Address whether someone is assigned to manage the device
- Prevent entry of malicious or compromised hardware from being installed on the system
- Reduce the number of easy-to-compromise devices that are not actively administered
- Prevent unauthorized hardware from being used for data exfiltration
ForeScout CounterACT is used to achieve DOI’s HWAM’s requirements. ForeScout CounterACT is administered by the DOI Office of the Chief Information Officer. Network assets are identified by the following methods:
- ForeScout CounterACT Agent installation on supported Endpoint Operating Systems. [This is done via BigFix for Windows, Linux, and macOS.]
- Configuration of Network Equipment via Simple Network Management Protocol (SNMP) for ForeScout CounterACT reporting:
- Routers
- Managed Switches
- Wireless Access Points
- Other Networking Equipment supporting SNMP
In addition to the mandatory ForeScout CounterACT SNMP settings, FISMA tagging is also required so that every IP addressable device on the network is associated to a given FISMA System Boundary. Once the tagging is complete, each device is considered to be “authorized.” In addition to the mandatory ForeScout CounterACT SNMP settings, FISMA tagging is also required so that every IP addressable device on the network is associated to a given FISMA System Boundary. Once the tagging is complete, each device is considered to be “authorized” per the automated hardware asset management (HWAM) capability delivered by the Continuous Diagnostics and Mitigation (CDM) program using the automated hardware asset management (HWAM) capability of ForeScout CounterACT.
Until this work is complete, each device that is not tagged will be considered “unauthorized”, which will impact DOI’s CDM Risk Score that is published to DHS and OMB. DOI will use hardware authorization to identify unauthorized devices on department networks and develop management level reports with this information.
All Network Equipment and Connected Network Devices must be configured for SNMP and FISMA tagging
SNMP is required so the OCIO can perform NMAP scans of the environment so that data can report back to the ForeScout database, with the eventual goal to be used in the future for Seamless Access/NAC (Network Access Control of unauthorized hardware).
- Connect to all switches to ensure SNMP is configured. If it is not configured, follow the instructions below using your manufacture guidelines on SNMP configuration for your model switch.
- The OCIO requires that we apply FISMA Tagging to all objects:
- BigFix is applying FISMA tagging to systems with a ForeScout/CounterAct agent on them, this data is synced to the ForeScout database.
- Switches must have the FISMA tag added to the location field. At the end of the location field add FISMA=<FISMA ID #> If your managed switch is not configured, follow the instructions below using your manufacture guidelines on SNMP configuration for your switch model:
- Limited general guidance on vendor specific hardware configurations may be found at the USGS ACIO ISO Enterprise Security Standards SharePoint Site.
The FISMA ID represents the 12 major FISMA reportable systems of USGS.
Your site’s subsystem ID should not be used. If you do not know your Major FISMA Reporting ID, you can do a crosscheck with the BigFix A&A Boundary Properties sheet [click here]. Look up your Subsystem Name, and look to the left for the System Acronym/System Name.
| Asset # | Abbreviation | FISMA ID# | OLD FISMA ID # |
| 901 | ADMIN | USGS-0446 | 2258 |
| 902 | ANSS | USGS-0320 | 989 |
| 903 | CHSVDC | USGS-0416 | 2148 |
| 904 | SSAR | USGS-0451 | 2266 |
| 905 | EROS | USGS-0526 | 2403 |
| 907 | ECSCS | USGS-0377 | 1783 |
| 908 | EI | USGS-0455 | 2272 |
| 910 | INFRA | USGS-0321 | 992 |
| 911 | NMRP | USGS-0323 | 996 |
| 913 | SSS | USGS-0378 | 1784 |
| 914 | SHAKE | USGS-0538 | 2440 |
| 915 | WAT | USGS-0515 | 2353 |
| 928 | GCPEE | USGS-0587 | 2546 |
Verification of SNMP Configuration
When SNMP configuration has been verified and FISMA tagging is in place, put in a ticket to Service Desk stating verification and FISMA tagging is in place. Ask them to assign to ESS queue. Communication can then be confirmed with the department
Frequently Asked Questions
Q: Does Lumen Enterprise Services Network tag the router/switch that they manage?
A: Yes, DOI works with them on that.
Q: My copier has SNMP settings, do I need to tag the machine or just the switch?
A: At the present moment, you are only required to put the ForeScout SNMP settings and FISMA tagging on your local managed switches, but we will need to work with OCIO to assure all other network devices that are touching the network are identified as being authorized and tagged. This will require a review of the data in the database and onsite IT confirming what the device is and that the device is correctly tagged with their FISMA ID.
Q: How long are Forescout CounterACT records maintained?
A: ForeScout CounterACT maintains the data for 3 days; although, it also sends to syslog, this data is sent to DOI’s Splunk instance and ultimately is visible in DOI CDM Dashboard.
Q: How often do nmap scans happen?
A: Nmap is initiated when a host comes online.
Q: What about devices on my network such as copiers, postage stamp machines, teleconference devices, labratory equipment, or others peripherals that will connect to the network but cannot support the installation of the ForeScout Agent or SNMP settings?
A: If the device shows up in an NMAP scan and is not auto tagged with the “agent” through BigFix tagging, or if the FISMA tag is not on the device, a process of identifying the systems through their MAC address and having the ForeScout team assign the FISMA tag against the MAC address will need to happen. This is a long term process that hasn’t been worked out yet. For now, we will work on pulling a report of each centers data and having them evaluate it through the A&A Self-Assessment process for CM-08.
Additional Information
Additional information on the United States Computer Emergency Readiness Team Continuous Diagnostics and Mitigation Hardware Asset Management (US-CERT HWAM) Program can be found here.
Additional information about USGS Continuous Diagnostics and Mitigation (CDM) Program can be found here.