The Cybersecurity and Infrastructure Security Agency (CISA) this week published Binding Operational Directive 23-01 (BOD 23-01), which requires federal agencies to take the necessary steps to improve their asset visibility and vulnerability detection capabilities within the next six months.
BOD 23-01 is the latest in a series of BODs meant to direct federal agencies towards better securing their environments against web and software vulnerabilities, either by patching them fast (BOD 19-02), by hunting for known vulnerabilities (BOD 22-01) or by defining and publishing a vulnerability disclosure policy (BOD 20-01).
“A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. […] Federal agencies are required to comply with these directives,” CISA explains.
According to the agency, BOD 23-01 is meant to help federal agencies improve their cybersecurity management capabilities by gaining visibility into all assets in their networks and the vulnerabilities impacting them.
Federal agencies have been given six months to identify network addressable IP-assets in their environments, along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets, including misconfigurations, outdated software, and missing patches.
“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies’ existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility,” CISA notes.
Per BOD 23-01, by April 3, 2023, federal agencies will have to perform automated asset discovery every 7 days, begin vulnerability enumeration across all discovered assets and the automated ingestion of vulnerability enumeration results, and ensure they can perform on-demand asset discovery and vulnerability enumeration.
“Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard,” CISA notes.
By April 3, 2023, agencies and CISA will also have to deploy an updated CDM Dashboard configuration that provides access to vulnerability enumeration data for analysis.
Every six months, federal agencies will have to report on their progress with implementing the directive, and work with CISA to resolve any issues impeding the full operationalization of asset management capabilities.
CISA says it will review the requirements within 18 months of issuance, to ensure they remain relevant. The agency has also published guidance to help federal agencies implement BOD 23-01.