CISA is conducting a limited pilot of Crossfeed, an asset discovery tool used to monitor and gather information about vulnerabilities on public-facing election infrastructure assets. Crossfeed collects data from a variety of open source tools, publicly-available resources, and data feeds to provide actionable information about election assets so participating entities can harden such infrastructure in the face of aggressive cyber adversaries.
As part of this limited pilot, Crossfeed only performs passive data collection — using third-party application programming interfaces (APIs) and standard web scraping techniques used by search engines — and limits its scope to public-facing assets. This Crossfeed “passive” pilot will run through the 2020 general election.
State, local, tribal, and territorial (SLTT) entities may notice limited web scraping traffic from Crossfeed on their public-facing election assets. All traffic from Crossfeed to SLTT entities is marked by a “Crossfeed” User-Agent header and is cryptographically signed so that entities can verify that the web traffic is coming from CISA. For instructions on verifying scans and other frequently asked questions, see Crossfeed’s documentation here.
CISA analysts will use data from Crossfeed to better understand the risks and status of the elections cyber infrastructure landscape, and communicate with entities if serious vulnerabilities are discovered.
Crossfeed is developed as an open-source tool, and its code is available on GitHub here.
(CISA is also concurrently conducting a separate “active” pilot of Crossfeed, which involves Crossfeed directly querying participating organization internet-facing network assets to confirm the presence of any vulnerabilities on those systems. A limited number of SLTT entities have accepted invitations to participate in this “active” pilot and provided authorization for their systems to be scanned as part of the “active” pilot.)