Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

DHS Tells Federal Agencies to Improve Asset Visibility, Vulnerability Detection

The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.

The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.

BOD 23-01 is the latest in a series of BODs meant to direct federal agencies towards better securing their environments against web and software vulnerabilities, either by patching them fast (BOD 19-02), by hunting for known vulnerabilities (BOD 22-01) or by defining and publishing a vulnerability disclosure policy (BOD 20-01).

“A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. […] Federal agencies are required to comply with these directives,” CISA explains.

According to the agency, BOD 23-01 is meant to help federal agencies improve their cybersecurity management capabilities by gaining visibility into all assets in their networks and the vulnerabilities impacting them.

Federal agencies have been given six months to identify network addressable IP-assets in their environments, along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets, including misconfigurations, outdated software, and missing patches.

“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies’ existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility,” CISA notes.

Per BOD 23-01, by April 3, 2023, federal agencies will have to perform automated asset discovery every 7 days, begin vulnerability enumeration across all discovered assets and the automated ingestion of vulnerability enumeration results, and ensure they can perform on-demand asset discovery and vulnerability enumeration.

“Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard,” CISA notes.

Advertisement. Scroll to continue reading.

By April 3, 2023, agencies and CISA will also have to deploy an updated CDM Dashboard configuration that provides access to vulnerability enumeration data for analysis.

Every six months, federal agencies will have to report on their progress with implementing the directive, and work with CISA to resolve any issues impeding the full operationalization of asset management capabilities.

CISA says it will review the requirements within 18 months of issuance, to ensure they remain relevant. The agency has also published guidance to help federal agencies implement BOD 23-01.

Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

Related: AMTSO Publishes Guidance for Testing IoT Security Products

Related: US Agencies Publish Security Guidance on Implementing Open RAN Architecture

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...