Do you know what IT devices are in your business or on your network right now? If not, you may have cybercriminals and the White House knocking on your door very soon.
Binding Operational Directive 23-01, or BOD 23-01, is a new directive from the US Cybersecurity and Infrastructure Security Agency (CISA) that orders federal agencies to keep track of their IT assets and any vulnerabilities on their networks. The guidance is designed to improve the way systems are tracked, managed, and protected against unauthorized access and attacks such as ransomware.
What Is BOD 23-01?
The wide-ranging BOD 23-01 cybersecurity directive orders all US Federal Civilian Executive Branch (FCEB) agencies to create a complete and accurate inventory of all software assets. The intention of the new directive is to prevent situations such as the 2020 SolarWinds attack, in which several government agencies and organizations were compromised by malicious code injected into software systems.
BOD 23-01 also is designed to make federal civilian agencies more accountable for their own systems and what resides on their networks, as well as for any cyber breaches or attacks on their systems. The directive covers only federal civilian agencies in the US, but CISA also has urged the private sector and state governments to review and implement similar asset and vulnerability practices.
What Issues Does BOD 23-01 Address?
Threat actors continue to target critical infrastructure, networks, and devices to exploit weaknesses within unknown, unprotected, or under-protected assets. Previous and even current methods of preventing infiltration and attacks have had varying levels of success — hence, the need for another layer of protection.
At a basic level, businesses still aren’t tracking the devices and software beneath their own roof, with about one in three IT teams saying they don't actively track the software used by employees within the business.
The hope with the new directive is that, at minimum, agencies and government departments have access to an up-to-date inventory of assets. You can't protect what you can’t see, so by providing this visibility organizations will be one step ahead of the game.
Of course, there's no point in knowing what's under threat if you can't prevent or stop an attack.
The vast majority of companies are vulnerable to external attackers breaching their network perimeters and gaining access to sensitive data.
What Does the Order Mean for IT Teams?
The attack surface — the points of entry and vulnerabilities that serve as attack vectors — is expanding rapidly. New technologies, recent changes to implement remote and hybrid workplaces, and the BYOD model again gaining momentum are threatening to overpower IT teams, which is why new methods of cyber asset attack surface management (CAASM) are becoming vital in managing and protecting organizations.
For agencies looking to become compliant with the new directive, creating an IT asset inventory will be seen as a significant administrative challenge. We're talking about having to locate, identify, record, and report on potentially hundreds or thousands of pieces of hardware and software.
Asset Visibility and Vulnerability Detection
There are two key areas IT teams need to focus on: asset inventory and vulnerability scans. Together, these are seen as vital in gaining the visibility needed to protect federal organizations against outside threats.
By April 3, 2023, asset discovery scans will need to be run every seven days, while vulnerability assessments across those assets every 14 days. Agencies will also have to prove that they have the ability to run such tests on demand, with CISA requesting proof within 72 hours of receiving a written request.
If IT teams don’t have one already, they will need to create and maintain an up-to-date inventory of IT assets on their network, as well as identify vulnerabilities and share relevant information with CISA at regular intervals.
IT teams are already under pressure, and the only realistic and cost-effective way organizations can become compliant is to automate IT inventory. With new devices added on an almost daily basis and current tech needing to be constantly updated, it's virtually impossible to handle this manually.
Knowing what's on your network is necessary for any organization to reduce risk. In today's digital-first world, with more attack surfaces than ever before, taking stock of what you have is the first step in protecting and preventing the worst from taking place.