Updated on 2022-09-05: New CISA BOD
The US Cybersecurity and Infrastructure Security Agency issued a new Binding Operational Directive (BOD 23-01) on Monday and mandated that all federal civilian agencies scan their networks in order to discover all their assets, including vulnerable systems that will need to be patched. Agencies must report their findings to CISA within six months, by April 3, 2023, so CISA would have a better understanding of the nation’s cyber resilience and needed defensive actions. Read more:
- CISA DIRECTS FEDERAL AGENCIES TO IMPROVE CYBERSECURITY ASSET VISIBILITY AND VULNERABILITY DETECTION
- BINDING OPERATIONAL DIRECTIVE 23-01 – IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL NETWORKS
- CISA directive orders federal civilian agencies to regularly report software vulnerabilities
Overview
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 23-01, requiring federal civilian agencies to step up network vulnerability detection. Specifically, the Improving Asset Visibility and Vulnerability Detection on Federal Networks BOD required actions include “perform[ing] automated asset discovery every 7 days, … [and] initiat[ing] vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” The agencies are also required to automate entry of vulnerability enumeration results to the CDM agency dashboard within 72 hours of discovery.
Note
- The DISA CDM program has been going for almost 10 years now and the acronym has always stood for *Continuous* Diagnostics and Mitigation. The question has always been what is the definition of “continuous” which ranged from yearly (or worse) to monthly for agencies checking on monthly Windows patches. While the CDM tools have been purchased to go faster, and meet this directive’s 7 day asset discovery and 14 day vulnerability assessment, the processes and staff skills needed to do that have lagged. This is step one to getting to basic security hygiene.
- CDM (which has the same scope as this directive) already expects discovery within 72 hours with the expectation that interval will shrink to near-real-time. Additionally scanning and remediation windows have been specified in previous directives. Irrespective of applicability, make sure you are able to discover all devices on your network and block/quarantine devices which are either unknown or not meeting minimum security standards. Technology such as NAC has matured to make this possible.
Read more in
- Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks
- CISA directive orders federal civilian agencies to regularly report software vulnerabilities
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
