The Crossfeed concept revolves around collecting data from a variety of open-source tools, publicly-available resources, and data feeds. This data provides a more comprehensive picture of organizations’ posture and exposure along with a snapshot of their assets from an attacker’s perspective. Crossfeed enables organizations to make better-informed risk decisions, provides CISA with greater insight on vulnerabilities in public-facing assets supporting national critical functions, and enables CISA to better fulfill its existing vulnerability management requirements.
In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) began piloting of a tool called Crossfeed, which was developed in collaboration with Defense Digital Service, to better understand the risks and status of the cyber infrastructure landscape across the nation and to communicate with entities if serious vulnerabilities were discovered.
As part of this pilot, Crossfeed mostly performed passive data collection — using third-party application programming interfaces (APIs) and standard web scraping techniques used by search engines. CISA also conducted a limited “active” pilot of Crossfeed, which involved Crossfeed directly querying participating organizations’ internet-facing network assets to confirm the presence of any vulnerabilities on those systems. Entities participating in the active portion of the pilot provided authorization for their systems to be scanned directly and were able to review scan results and their security posture through the Crossfeed web portal.
While the active pilot has concluded as of Oct. 1, 2021, CISA will continue to conduct limited, passive scanning to alert Federal agencies, SLTT entities, and critical infrastructure operators across the nation of any serious vulnerabilities. Scanned entities may notice limited web scraping traffic from Crossfeed on their public-facing assets. All traffic from Crossfeed to scanned assets is marked by a “Crossfeed” User-Agent header and is cryptographically signed so that entities can verify that the web traffic is coming from CISA. For instructions on verifying scans and other frequently asked questions, please refer to Crossfeed’s documentation.
CISA is currently reviewing the functionality, features, and sources used to augment its existing services from lessons learned during the Crossfeed pilot and to enhance the Crossfeed experience. We hope to be able to onboard organizations who would like to understand more about how their external network posture looks using this concept sometime next year.
In the meantime, our cost-free Cyber Hygiene Vulnerability Scanning (VS) service provides similar insight into organizations' external network posture and vulnerabilities via weekly reports and ad-hoc alerts. While it is IP-based, we recommend signing up for this service to cover any statically assigned, external asset IPs you have.
We also offer a cost-free Cyber Hygiene Web Application Scanning (WAS) service which is conducted by domain either monthly or quarterly depending on your organization's preference. Its legal authorization document takes the form of an appendix which branches off of the Cyber Hygiene Vulnerability Scanning Acceptance Letter.