Connect with us

Hi, what are you looking for?



CISA Instructs Federal Agencies to Secure Internet-Exposed Devices

CISA’s Binding Operational Directive 23-02 requires federal agencies to secure the network management interfaces of certain classes of devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) is requiring federal agencies to secure the network management interfaces of certain classes of devices.

CISA’s ‘Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces’ provides federal agencies with guidelines on securing device interfaces that are accessible remotely, and which are often targeted by threat actors.

“A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems,” CISA notes.

Attackers, CISA explains, have shifted to targeting devices supporting network infrastructures to evade protections that agencies and organizations have implemented to improve their security stance.

“Threat actors have used certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet,” CISA notes.

According to CISA, most device management interfaces are meant to be accessed directly or from management networks, and not directly from the internet, and federal agencies should identify and address insecure or misconfigured interfaces across specific classes of devices.

Such devices include firewalls, load balancers, proxies, routers, switches, VPN concentrators, and out of band server management interfaces (such as iLo and iDRAC) that reside on federal information systems or networks, or support them.

Advertisement. Scroll to continue reading.

Federal agencies should secure these devices if they use network protocols that allow remote management over the internet, such as HTTP, HTTPS, FTP, SNMP, Telnet, TFTP, RDP, rlogin, RSH, SSH, SMB, VNC, and X11, CISA says.

Web applications and interfaces for managing Cloud Service Provider (CSP) offerings, including APIs and management portals, do not fall under the purpose of the new directive.

CISA will scan for devices and interfaces in scope of the directive, will inform agencies and guide them to address the identified issues, and will update the directive to keep it in line with the changing cybersecurity landscape.

Agencies are required to address issues within 14 days after being notified by CISA, by removing the vulnerable interface from the internet and deploying zero trust capabilities to enforce access control to the interface.

Furthermore, agencies are required to implement controls to ensure that the interfaces on existing or new devices are removed from the internet and only accessible from an internal enterprise network, and that the required zero trust capabilities have been implemented through policy enforcement.

To further assist agencies in implementing the directive’s requirements, CISA has published Binding Operational Directive 23-02 Implementation Guidance.

The document is primarily intended for federal agencies, but CISA encourages all organizations to use it as guidance to secure the network management interfaces of their devices.

Related: US Government Provides Guidance on Software Security Guarantee Requirements

Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles

Related: CISA Publishes New Guidance for Achieving Zero Trust Maturity

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.