Updated on 2022-09-05: New CISA BOD
The US Cybersecurity and Infrastructure Security Agency issued a new Binding Operational Directive (BOD 23-01) on Monday and mandated that all federal civilian agencies scan their networks in order to discover all their assets, including vulnerable systems that will need to be patched. Agencies must report their findings to CISA within six months, by April 3, 2023, so CISA would have a better understanding of the nation’s cyber resilience and needed defensive actions. Read more:
- CISA DIRECTS FEDERAL AGENCIES TO IMPROVE CYBERSECURITY ASSET VISIBILITY AND VULNERABILITY DETECTION
- BINDING OPERATIONAL DIRECTIVE 23-01 – IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL NETWORKS
- CISA directive orders federal civilian agencies to regularly report software vulnerabilities
Overview
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 23-01, requiring federal civilian agencies to step up network vulnerability detection. Specifically, the Improving Asset Visibility and Vulnerability Detection on Federal Networks BOD required actions include “perform[ing] automated asset discovery every 7 days, … [and] initiat[ing] vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” The agencies are also required to automate entry of vulnerability enumeration results to the CDM agency dashboard within 72 hours of discovery.
Note
- The DISA CDM program has been going for almost 10 years now and the acronym has always stood for *Continuous* Diagnostics and Mitigation. The question has always been what is the definition of “continuous” which ranged from yearly (or worse) to monthly for agencies checking on monthly Windows patches. While the CDM tools have been purchased to go faster, and meet this directive’s 7 day asset discovery and 14 day vulnerability assessment, the processes and staff skills needed to do that have lagged. This is step one to getting to basic security hygiene.
- CDM (which has the same scope as this directive) already expects discovery within 72 hours with the expectation that interval will shrink to near-real-time. Additionally scanning and remediation windows have been specified in previous directives. Irrespective of applicability, make sure you are able to discover all devices on your network and block/quarantine devices which are either unknown or not meeting minimum security standards. Technology such as NAC has matured to make this possible.
Read more in
