Skip to main content
        • Products

          Q-Scout

          Leading edge mobile device security delivering dynamic, actionable intelligence for fleet-wide protection applications

          Q-MAST

          Comprehensive testing for developers who build, use, and manage mobile applications

          Q-Vet

          Mobile app vetting for curated and enterprise managed app stores

        • Solutions by Want

          Mobile Application Security Testing

          Advanced analysis utilizing static, dynamic & interactive analysis of Android and iOS mobile applications

          BYOD

          Secure devices connecting to the enterprise network in the work and live anywhere world

          App Vetting

          Transparent and high-confidence results using pass/fail security evidence

          End Users

          Airtight digital security that empowers you to make informed decisions on what apps you do and do not give access to

          Regulatory Compliance

          Automated compliance testing for the latest privacy and security standards

        • Untitled Document

          All Resources

          Blogs

          The latest industry news in cybersecurity’s ever-evolving landscape

          Newsroom

          Press releases, news stories and media highlights from Quokka

          Webinars

          Videos and content where you can learn about the latest threats, trends and issues in cybersecurity

          Whitepapers

          Insights and helpful assets for exploring cybersecurity and digital security

        • Datasheets

          An in-depth description of Quokka solutions

          Technical Papers

          Deep dive into cybersecurity topics and technical papers discovered by Quokka

          Use Cases

          Detailed overview of how Quokka solutions solve real-world pain points

          Partners

          Learn more about Quokka’s technology partners

        • Company

          Careers

          There are jobs - and then there is a career at Quokka

          Industries

          Solutions designed for security needs of your organization

          Leadership

          Quokka’s global management team comprised of security experts and industry leaders

  • Support

A New Directive Aims to Safeguard Federal Information: BOD 23-01

Melissa Gaffney | November 3, 2022

Melissa Gaffney

November 3, 2022

It is crucial for organizations, including Federal Agencies, to understand their enterprise from the view of an attacker to ensure they don’t have misconfigured or vulnerable entry points on their network that could lead to a compromised infrastructure. With federal agencies embracing new technologies, their threat surface continues to expand along with their cybersecurity risks. To help protect the American people’s security and privacy, CISA issued a Binding Operational Directive (BOD) 23-01 that mandates continuous and comprehensive asset visibility.

What is a Binding Operational Directive?

A Binding Operational Directive is a compulsory direction from the Department of Homeland Security to the federal, executive branch, departments, and agencies for the purpose of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.

What is the Binding Operational Directive (BOD) 23-01?

Earlier this month, the Cybersecurity and Infrastructure Agency (CISA) issued a Binding Operational Directive (BOD) 23-01 to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. According to CISA, BOD 23-01 aims “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” This new directive builds on BOD 22-01 which provides organizations with a curated list of vulnerabilities that have been—or are actively being—exploited in the wild. While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.

By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:

  • Perform automated asset discovery every 7 days
  • Initiate vulnerability enumeration across all assets “including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.”
  • Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion.
  • Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.
  • Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard.
  • By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.

How Does the Directive Affect My Business?

Although BOD 23-01 is only applicable to federal civilian executive branch (FCEB) agencies, CISA recommends all stakeholders review and incorporate these standards. In doing so, your organization will be strengthening their cyber resilience and ensuring best practices for asset management and vulnerability detection.

BOD 23-01 applies to all IP-addressable networked assets that can be reached over IPv4 and adds non-ephemeral cloud assets, IPV6 address space and operational technology to the list of asset types needing to be addressed. These additions cover devices that traditionally have been vulnerable points and have represented potential soft targets that could be leveraged in an attack. By April 3, 2023, federal agencies must begin performing the automated asset discovery and report suspected vulnerabilities per the scope outlined above.

How Can Quokka Help FCEB Agencies Meet CISA’s BOD 23-01?

The initiative directly concerns network infrastructure including agency owned mobile devices. Particularly, the subsection that states “Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.” CISA has been proactive in preparing for this BOD by initiating a set of solutions available to FCEB agencies in their Mobile Cybersecurity Shared Services program. One of these services, CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping FCEB agencies meet the mobile specific requirements in the BOD. As an added benefit FCEB agencies may leverage the CISA MAV capability without cost to the agency. Reach out to the CISA MAV team via [email protected] email to inquire about getting access to the CISA MAV capability.

Don’t Qualify for the CISA MAV Capability and Still Need Help?

Quokka is positioned to help the federal, executive branch, departments, and agencies with our Q-MAST solution. Q-MAST can provide federal agencies with comprehensive visibility of all vulnerabilities and their severity levels with fewer false negatives than comparable solutions.

Quokka security solutions ensure federal data is protected while personnel are carrying out critical work. Our customers can automate vulnerability data reporting into CDM dashboards immediately. Quokka was founded in this environment and has a deep understanding of the special needs of government and federal organizations.

Contact us to schedule a demo or for more information: https://www.quokka.io/support#contact-us

Leave a Reply

Close Menu