On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-01 (BOD 23-10). This directive requires all Federal Civilian Executive Branch (FCEB) entities to maintain an inventory of all IPv4- and IPv6-networked assets, perform regular, periodic scans of these devices, and provide this information to CISA.
The target date for FCEB entities to meet the BOD is 3 April 2023. It is left up to the individual organizations to develop and implement a plan to meet this requirement.
Required actions
As of the start date, affected organizations need to perform the actions below:
- Asset discovery: an automated scan every seven days that covers at least the entire IPv4 space used by the agency.
- Vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (such as laptops), every 14 days. Where possible, vulnerability enumeration performed on managed endpoints must be conducted with privileged credentials.
- Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the Continuous Diagnostics and Mitigation (CDM) Agency Dashboard within 72 hours of discovery.
- Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within seven days of request.
There are some provisions for larger organizations where vulnerability enumeration or even asset discovery cannot be completed within the set time frame.
For more information about the requirements, organizations can turn to the implementation guidance for CISA BOD 23-01, where they can find a glossary and some FAQs about the subject.
Background
CISA aims to gain greater visibility into risks facing federal civilian networks, which it has done since it became aware of a gap made clear by the intrusion campaign targeting SolarWinds devices. As you may remember, the US Treasury and Commerce departments were among the victims of that campaign.
CISA Director Jen Easterly said:
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets.”
Effectiveness
The implementation of BOD 23-10 will undoubtedly cause higher stress levels in the IT departments of the agencies, especially when the start date is near. But, once in place, it will help improve the understanding of the strengths and weaknesses in an organizations network(s).
It does make a lot of sense that you need to know what you are protecting in order to set up an effective defense. It also makes a lot of sense to be aware of the vulnerabilities that are present in the enumerated assets.
The other requirements are aimed at providing the authorities with a method to check whether organizations are compliant and to request data when the need for them arises.
Recommendations
This Directive is a mandate for federal civilian agencies. However, CISA recommends that private businesses and state, local, tribal and territorial (SLTT) governments review it and prioritize implementation of rigorous asset and vulnerability management programs.
Many organizations will already have a similar program in operation. In such cases it is merely a matter of getting them approved and possibly make sure they are compatible with the automated ingestion into the CDM Agency Dashboard.
The CDM program allows federal agencies to monitor vulnerabilities and threats to their systems in near real-time. CDM works with agencies to deploy commercial off-the-shelf tools that provide enterprise-wide visibility of assets, users, and activities.
Whichever security standards you need to meet, regular asset discovery and vulnerability enumeration should be near the top of your list.