The Crossfeed concept revolves around collecting data from a variety of open-source tools, publicly available resources, and data feeds. This data provides a more comprehensive picture of organizations’ posture and exposure along with a snapshot of their assets from an attacker’s perspective. Crossfeed enables organizations to make better-informed risk decisions, provides CISA with greater insight on vulnerabilities in public-facing assets supporting National Critical Functions, and enables CISA to better fulfill its existing vulnerability management requirements.
Available on CISAgov GitHub
While Crossfeed is currently not accepting enrollment, it is developed as an open-source tool. If you would like to stand up your own instance, the code is available on our GitHub.
In 2020, the CISA began piloting of a tool called Crossfeed, which was developed in collaboration with Defense Digital Service, to better understand the risks and status of the cyber infrastructure landscape across the nation and to communicate with entities if serious vulnerabilities were discovered.
As part of this pilot, Crossfeed mostly performed passive data collection using third-party application programming interfaces (APIs) and standard web scraping techniques used by search engines. CISA also conducted a limited “active” pilot of Crossfeed, which involved Crossfeed directly querying participating organizations’ internet-facing network assets to confirm the presence of any vulnerabilities on those systems. Entities participating in the active portion of the pilot provided authorization for their systems to be scanned directly and were able to review scan results and their security posture through the Crossfeed web portal.
While the active pilot has concluded as of Oct. 1, 2021, CISA will continue to conduct limited, passive scanning to alert Federal agencies, SLTT entities, and critical infrastructure operators across the nation of any serious vulnerabilities. All traffic from Crossfeed to scanned assets is marked by a "Crossfeed" User-Agent header and is cryptographically signed so that entities can verify that the web traffic is coming from CISA. For instructions on verifying scans and other frequently asked questions, please refer to Crossfeed's documentation.