It is crucial for organizations, including Federal Agencies, to understand their enterprise from the view of an attacker to ensure they don’t have misconfigured or vulnerable entry points on their network that could lead to a compromised infrastructure. With federal agencies embracing new technologies, their threat surface continues to expand along with their cybersecurity risks. To help protect the American people’s security and privacy, CISA issued a Binding Operational Directive (BOD) 23-01 that mandates continuous and comprehensive asset visibility.
What is a Binding Operational Directive?
A Binding Operational Directive is a compulsory direction from the Department of Homeland Security to the federal, executive branch, departments, and agencies for the purpose of safeguarding federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.
What is the Binding Operational Directive (BOD) 23-01?
Earlier this month, the Cybersecurity and Infrastructure Agency (CISA) issued a Binding Operational Directive (BOD) 23-01 to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. According to CISA, BOD 23-01 aims “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” This new directive builds on BOD 22-01 which provides organizations with a curated list of vulnerabilities that have been—or are actively being—exploited in the wild. While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:
- Perform automated asset discovery every 7 days
- Initiate vulnerability enumeration across all assets “including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.”
- Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion.
- Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.
- Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard.
- By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.
How Does the Directive Affect My Business?
Although BOD 23-01 is only applicable to federal civilian executive branch (FCEB) agencies, CISA recommends all stakeholders review and incorporate these standards. In doing so, your organization will be strengthening their cyber resilience and ensuring best practices for asset management and vulnerability detection.
BOD 23-01 applies to all IP-addressable networked assets that can be reached over IPv4 and adds non-ephemeral cloud assets, IPV6 address space and operational technology to the list of asset types needing to be addressed. These additions cover devices that traditionally have been vulnerable points and have represented potential soft targets that could be leveraged in an attack. By April 3, 2023, federal agencies must begin performing the automated asset discovery and report suspected vulnerabilities per the scope outlined above.
How Can Quokka Help FCEB Agencies Meet CISA’s BOD 23-01?
The initiative directly concerns network infrastructure including agency owned mobile devices. Particularly, the subsection that states “Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.” CISA has been proactive in preparing for this BOD by initiating a set of solutions available to FCEB agencies in their Mobile Cybersecurity Shared Services program. One of these services, CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping FCEB agencies meet the mobile specific requirements in the BOD. As an added benefit FCEB agencies may leverage the CISA MAV capability without cost to the agency. Reach out to the CISA MAV team via [email protected] email to inquire about getting access to the CISA MAV capability.
Don’t Qualify for the CISA MAV Capability and Still Need Help?
Quokka is positioned to help the federal, executive branch, departments, and agencies with our Q-MAST solution. Q-MAST can provide federal agencies with comprehensive visibility of all vulnerabilities and their severity levels with fewer false negatives than comparable solutions.
Quokka security solutions ensure federal data is protected while personnel are carrying out critical work. Our customers can automate vulnerability data reporting into CDM dashboards immediately. Quokka was founded in this environment and has a deep understanding of the special needs of government and federal organizations.
Contact us to schedule a demo or for more information.
