Skip to Content

New CISA Directive Requires Agencies to Improve Vulnerability Detection and Reporting

Updated on 2022-09-05: New CISA BOD

The US Cybersecurity and Infrastructure Security Agency issued a new Binding Operational Directive (BOD 23-01) on Monday and mandated that all federal civilian agencies scan their networks in order to discover all their assets, including vulnerable systems that will need to be patched. Agencies must report their findings to CISA within six months, by April 3, 2023, so CISA would have a better understanding of the nation’s cyber resilience and needed defensive actions. Read more:


The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 23-01, requiring federal civilian agencies to step up network vulnerability detection. Specifically, the Improving Asset Visibility and Vulnerability Detection on Federal Networks BOD required actions include “perform[ing] automated asset discovery every 7 days, … [and] initiat[ing] vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” The agencies are also required to automate entry of vulnerability enumeration results to the CDM agency dashboard within 72 hours of discovery.


  • The DISA CDM program has been going for almost 10 years now and the acronym has always stood for *Continuous* Diagnostics and Mitigation. The question has always been what is the definition of “continuous” which ranged from yearly (or worse) to monthly for agencies checking on monthly Windows patches. While the CDM tools have been purchased to go faster, and meet this directive’s 7 day asset discovery and 14 day vulnerability assessment, the processes and staff skills needed to do that have lagged. This is step one to getting to basic security hygiene.
  • CDM (which has the same scope as this directive) already expects discovery within 72 hours with the expectation that interval will shrink to near-real-time. Additionally scanning and remediation windows have been specified in previous directives. Irrespective of applicability, make sure you are able to discover all devices on your network and block/quarantine devices which are either unknown or not meeting minimum security standards. Technology such as NAC has matured to make this possible.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.