Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

DHS Tells Federal Agencies to Improve Asset Visibility, Vulnerability Detection

The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.

The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.

BOD 23-01 is the latest in a series of BODs meant to direct federal agencies towards better securing their environments against web and software vulnerabilities, either by patching them fast (BOD 19-02), by hunting for known vulnerabilities (BOD 22-01) or by defining and publishing a vulnerability disclosure policy (BOD 20-01).

“A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. […] Federal agencies are required to comply with these directives,” CISA explains.

According to the agency, BOD 23-01 is meant to help federal agencies improve their cybersecurity management capabilities by gaining visibility into all assets in their networks and the vulnerabilities impacting them.

Federal agencies have been given six months to identify network addressable IP-assets in their environments, along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets, including misconfigurations, outdated software, and missing patches.

“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies’ existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility,” CISA notes.

Per BOD 23-01, by April 3, 2023, federal agencies will have to perform automated asset discovery every 7 days, begin vulnerability enumeration across all discovered assets and the automated ingestion of vulnerability enumeration results, and ensure they can perform on-demand asset discovery and vulnerability enumeration.

“Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard,” CISA notes.

By April 3, 2023, agencies and CISA will also have to deploy an updated CDM Dashboard configuration that provides access to vulnerability enumeration data for analysis.

Every six months, federal agencies will have to report on their progress with implementing the directive, and work with CISA to resolve any issues impeding the full operationalization of asset management capabilities.

CISA says it will review the requirements within 18 months of issuance, to ensure they remain relevant. The agency has also published guidance to help federal agencies implement BOD 23-01.

Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

Related: AMTSO Publishes Guidance for Testing IoT Security Products

Related: US Agencies Publish Security Guidance on Implementing Open RAN Architecture

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.