Takeaway: The latest directive from CISA will enhance federal agencies’ ability to identify vulnerabilities in their networks to prevent and respond to cybersecurity incidents.
On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive (BOD) 23-01 entitled Improving Asset Visibility and Vulnerability Detection on Federal Networks.[1] The aim of BOD 23-01 is “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”[2]
A binding operational directive is a compulsory direction to the executive branch, departments and agencies for purposes of safeguarding federal information and information systems.[3] BOD 23-01 applies to any agencies operating as a Federal Civilian Executive Branch (FCEB) agency such as the Department of Justice, the Department of Education, and the Department of Health and Human Services.[4] The directive also applies to any entity acting on behalf of a FCEB agency that “collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”[5]
BOD 23-01 focuses on (1) asset discovery, or identifying what IP-assets reside on an agency’s networks and detecting their associated IP addresses and (2) vulnerability enumeration, or detecting and reporting vulnerabilities on those assets such as outdated software or missing updates.
The directive lists mandatory actions and reporting requirements that FCEB agencies must implement by April 3, 2023. For example, each FCEB agency must perform automated asset discovery every 7 days. FCEB agencies have discretion in determining the method and technology to complete this task, but BOD 23-01 requires that the discovery must cover the entire IPv4 space at minimum. Additionally, each agency must initiate vulnerability enumerations every 14 days. All FCEB agencies must initiate the collection and reporting of performance data within 6 months of the publication of BOD 23-01 in order to allow CISA to automate oversight and monitoring. Collectively, these actions enhance an agency’s ability to automatically detect vulnerabilities and prevent exploitation of any weaknesses in their networks.
BOD 23-01 also lists actions that CISA will complete in furtherance of the initiative. CISA will publish data requirements within 6 months of the issuance of BOD 23-01. CISA will also provide an annual status report to the Secretary of Homeland Security, the Director of OMB, and the National Cyber Director.
CISA released an implementation guidance to assist federal agencies “interpret and implement” BOD 23-01.[6] According to the directive, the requirements of BOD 23-01 “advance the priorities set forth in the Executive Order 14028 on Improving the Nation’s Cybersecurity.”[7]
In an October 3 press release, CISA Director Jen Easterly stated that “[t]hreat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets” and “[k]nowing what’s on your network is the first step for any organization to reduce risk.”[8] Implementation of the requirements of BOD 23-01 will serve as a strong cybersecurity baseline for federal agencies.
[1] https://www.cisa.gov/binding-operational-directive-23-01
[2] Id.
[3] 44 U.S.C. § 3552(b)(1).
[4] For full list of FCEB agencies, see https://www.cisa.gov/agencies
[5] https://www.cisa.gov/binding-operational-directive-23-01
[6]https://www.cisa.gov/implementation-guidance-binding-operational-directive-23-01
[7] https://www.cisa.gov/binding-operational-directive-23-01
[8] https://www.cisa.gov/news/2022/10/03/cisa-directs-federal-agencies-improve-cybersecurity-asset-visibility-and
