Scanning, compliance and vulnerability requirements

 

Know cybersecurity requirements for scanning, compliance, and vulnerability if you’re a contractor with us.

Automated asset discovery 

  • Must perform automated asset discovery including the entire inventory within the boundary every 7 days
  • Scanning must include discovering managed endpoints (e.g., servers, workstations), network devices (e.g., routers, switches), mobile devices and any other nomadic/roaming devices

Vulnerability assessments

  • Required to report all vulnerability findings in machine-readable format
  • Vulnerability scanning should include scanning with full authorization
  • Assessments must use Common Vulnerability Scoring System (CVSS) risk scoring
  • All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update. Keeping the vulnerability database up to date is crucial, as new vulnerabilities are constantly emerging. Must be able to provide evidence of the latest update
  • On-premises information systems (e.g., host, database, mobile devices, applications etc.) will be required to use the IRS standard vulnerability management tools and applications with IRS-mandated configurations
  • Cloud-based service offerings will be required to provide monthly vulnerability reporting and meet these guidelines

Network vulnerability scanning

  • Continuous scanning of network infrastructure and devices for vulnerabilities
  • Identification and remediation of vulnerabilities in network protocols, services, and configurations
  • Utilization of network vulnerability scanning tools to detect and prioritize vulnerabilities
  • Vulnerability enumeration: Initiate vulnerability enumeration across all discovered assets every 14 calendar days, using privileged credentials

Host-based vulnerability scanning

  • Scanning of hosts (e.g., servers, workstations, mobile devices) for vulnerabilities at a minimum of every 14 calendar days
  • Identification and remediation of vulnerabilities in operating systems, services and applications installed on hosts
  • Utilization of host-based vulnerability scanning tools to assess the security posture of individual systems

Application and development security

  • Regular scanning of web applications for vulnerabilities such as OWASP Top 10 vulnerabilities (e.g., injection flaws, cross-site scripting, insecure deserialization) at a minimum of every 14 calendar days
  • Utilization of automated web-vulnerability scanning tools
  • Regular patching, updates and remediation to address discovered vulnerabilities
  • Establishing a formal code review process that includes both manual and automated techniques
  • Conducting static code analysis using automated scanning tools to identify potential security vulnerabilities and coding errors
  •  Integrating static code analysis into the development pipeline to detect issues early in the development process

Container vulnerability security

  • All virtual images must be scanned, and vulnerabilities remediated accordingly
  • Containers should not contain any high or critical vulns when promoted to production
  • Vulnerability scanner should have capability of detecting outdated libraries, software and operating systems in container images. Scanning tools should be able to identify known vulnerabilities in the components that make up a container
  • Integrating vulnerability scanning into the CI/CD pipeline to catch issues early in the development process before container images are deployed

Database vulnerability scanning

  • Regular scanning of database systems for vulnerabilities including but not limited to misconfigurations, weak authentication and SQL injection vulnerabilities at a minimum of every 14 calendar days
  • Implementation of database security best practices to mitigate identified vulnerabilities
  • Use of automated tools to conduct vulnerability assessments on database systems

Configuration management

  • Establishing and maintaining configuration baselines for all systems, environments, networks and devices
  • Documenting approved configurations for hardware, software and firmware components
  • Implementing continuous monitoring tools and processes to detect and report changes to system configurations in near real-time
  • Monitoring for deviations from established configuration baselines and promptly remediate any unauthorized changes

Penetration testing

  • Perform independent third-party penetration testing prior to go-live in an environment as close to what will be in the production environment
  • Annual penetration testing of the production environment to assess the security of the entire environment, including web applications, network infrastructure, databases and host systems
  • Testing should simulate real-world attack scenarios to identify potential vulnerabilities and weaknesses
  • Documentation of penetration testing results, including identified vulnerabilities, recommended mitigations and status of remediation efforts, will be required to be provided

Supply chain risk management

  • Implement measures to improve software supply chain security. Businesses selling to the federal government must improve their software supply chain security practices, such as securing development environments, scanning code and creating software bills of materials (SBOMs)

Related

Cybersecurity for potential contractors