Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

CISA Issues Binding Directive To Combat Internet-Related Risks

Federal agencies must implement zero-trust measures or immediately remove specific interfaces.
Posted By Kimberly Underwood
CISA issued a new binding directive to better protect federal enterprise networks.
CISA issued a new binding directive to better protect federal enterprise networks.

The Cybersecurity and Infrastructure Security Agency (CISA) today issued an order requiring federal civilian agencies to remove certain internet-related interfaces. The risk with “improperly configured network devices” is too great, the agency said, and agencies must either remove specific internet-exposed management interfaces or implement zero-trust architecture solutions that provide access control security to such interfaces as virtual private network concentrators, firewalls, routers, switches, etc.

Binding Operational Directive (BOD) 23-02, Mitigating the Risk From Internet-Exposed Management Interfaces, which is part of CISA and the federal government's effort to move federal civilian enterprise to a more defensible state, will further reduce the attack surface of the government networks, the agency indicated.

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise,” said CISA Director Jen Easterly. “Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

CISA specified that the directive applies to devices that both:

  • reside on or support federal information systems and networks in the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces; and
  • are devices with management interfaces that use network protocols for remote management over public internet, including, but not limited to hypertext transfer protocol, hypertext transfer protocol secure, file transfer protocol, simple network management protocol, teletype network, trivial file transfer protocol, remote desktop protocol, remote login, remote shell, secure shell, server message block, virtual network computing, and X11 (X Window system).

The agency noted that the order does not apply to web applications and interfaces used for managing cloud service provider offerings such as application programming interfaces or management portals.

In addition, employed zero-trust solutions must adhere to federal standards. “Networked management interfaces are allowed to remain accessible from the internet on networks where agencies employ capabilities to mediate all access to the interface in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA's Zero Trust Maturity Model,” CISA specified.

CISA will be scanning for devices and interfaces and will notify agencies. Within 14 days of notification by CISA or by discovery by another party of a networked management interface, an organization must take action outlined in the directive.

For questions, assistance and reporting, agencies can contact CyberDirectives@cisa.dhs.gov.

Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content