CISA’s New Binding Cyber Directive Takes Aim at Federal Networks
The Cybersecurity and Infrastructure Security Agency (CISA) issued a new mandate today meant to grow federal agencies’ asset visibility and network vulnerability detection capabilities. The binding directive, called Improving Asset Visibility and Vulnerability Detection on Federal Networks, or BOD 23-01, sets specific requirements for agencies understand and identify all internet-related network assets that run on their networks, as well as locate all associated Internet Protocol (IP) addresses for those assets.
In addition, the federal government must perform so-called vulnerability enumeration, locating and reporting on any suspected vulnerabilities related to agencies’ digital network assets—including operating systems, applications, open ports and other components—to identify any outdated software, skipped updates or and misconfigurations, the agency stated.
CISA cited the “gap made clear by the intrusion campaign targeting SolarWinds devices,” as a reason for the mandate.
The compulsory direction to federal, executive branch, departments and agencies to safeguard federal data and information systems begins with unclassified systems and “all IP-addressable networked assets” that can be reached through so-called IPv4 and IPv6 protocols. Agencies must take action by April 3, 2023, and then perform activities on a daily, weekly or other basis.
“CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies,” the agency stated. “Implementation of this directive will significantly increase visibility into assets and vulnerabilities across the federal government, in turn improving capabilities by both CISA and each agency to detect, prevent and respond to cybersecurity incidents and better understand trends in cybersecurity risk.”
The agency stressed that although it is binding, the mandate is focused on agencies achieving outcomes rather setting a strict prescribed method of how exactly the agencies must comply.
In essence, agencies need to:
- Maintain an up-to-date inventory of networked assets.
- Identify software vulnerabilities, using privileged or client-based means where technically feasible.
- Track how often the agency enumerates its assets, the coverage of its assets it achieves, and detect how current their vulnerability signatures are.
- Provide asset and vulnerability information to CISA’s continuous diagnostics and mitigation program’s Federal Dashboard.
And while the mandate applies to the federal government, the agency prescribed that private companies and state, local and tribal organizations consider “and prioritize implementation of rigorous” network component and vulnerability management programs.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” said CISA Director Jen Easterly. “Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks. We all have a role to play in building a more cyber resilient nation.”
For more information, see Binding Operational Directive (BOD) 23-01.