CISA BOD 23-01: What Agencies Need to Know About Compliance

The new network visibility mandate provides a good foundation for identifying risks and building better security programs at federal agencies.

By April, all federal agencies were required to begin complying with a new mandate from the US Cybersecurity and Infrastructure Security Agency (CISA) to "make measurable progress toward enhancing visibility into agency IT assets and associated vulnerabilities." In plain language, this means they must get better at monitoring their assets and evaluating their security vulnerabilities.

While complying with Binding Operational Directive 23-01 (BOD 23-01) won't on its own make agencies secure, it does provide a good foundation for identifying risks and building better security programs. Ultimately, federal IT directors will need to go beyond the letter of these BOD requirements and think about how they can use these new capabilities to improve their network operations and security processes.

Understanding CISA BOD 23-01

The new mandate focuses on two activities that are essential to improving operational compliance at scale for a successful cybersecurity program: asset discovery and vulnerability enumeration.

Asset discovery means finding all network-addressable assets that reside on an agency's network infrastructure by identifying all the associated IP addresses (hosts). This typically does not require special logical access privileges and is vital information for more advanced analytics and security investigations. But discovering networked assets gets harder as networks get bigger, more complex, and virtualized, and as users connect from more locations using a wider range of devices. Most concerning for CISA are bring-your-own (BYO) and other unauthorized devices that have acquired addresses and are present on the network but should not be. Discovery solves both problems: confirmation of approved devices that are present, and detection of devices that are present but are unauthorized.

Vulnerability enumeration identifies and reports suspected vulnerabilities on network assets. It detects host attributes (for example operating systems, applications, and open ports) and attempts to identify security flaws and issues such as outdated software versions, missing updates, and misconfigurations. It also involves tracking compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities.

The mandate specifies several general requirements that federal agencies must meet, including:

  • Performing automated asset discovery every seven days to maintain an inventory of devices
  • Identifying software vulnerabilities using privileged or client-based means where technically feasible (to provide the deepest inspection of access issues)
  • Tracking how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are
  • Providing this asset and vulnerability information to CISA's Continuous Diagnostics and Mitigation (CDM) federal dashboard

The mandate also includes more specifics such as how often to perform asset discovery and vulnerability enumeration, how to conduct those scans, and requirements for reporting this data to CISA. Importantly, CISA doesn't specify how to meet any of these objectives but leaves it up to the discretion of each agency's IT leadership.

What This Means for Federal Agencies

It's clear from this mandate that the old approach of doing compliance assessments every few years won't be sufficient. Agencies will need to build or buy a network automation and visibility solution that allows them to discover assets and find vulnerabilities at scale and across domains while also providing regular, ongoing status reporting.

Meeting these requirements doesn't mean an agency will be safe from cyberattacks, but it does help improve the security of IT resources. For instance, asset visibility is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation. But for a network topology with the scale and complexity of the federal government — with its broad deployment of devices and virtualized services — automation is the only realistic way to conduct security best practices (like updating device firmware with security patches, changing passwords regularly, and preventing firewall configuration drift).

Complying With BOD 23-01

The new CISA mandate stems from the realization that the historical approach of allowing individual agencies to determine how best to secure their networks isn't working. In practice, resource-constrained agencies deprioritized aggressive secure-access verification. They also did not fully account for how frequently their networks would change due to new technologies, new applications, and new projects all making the problem worse. This ultimately led to the declining security of federal IT infrastructure.

However, given that this new mandate does not come with any additional funding to meet it, agencies must rethink how they use existing operational and engineering resources to perform all the required visibility and vulnerability assessments in the weekly timeframes specified. In fact, they will need a solution that democratizes network automation to better leverage their available subject matter experts to define the required topology, secure access, and compliance needs. While a single engineer can test a device or create a vulnerability scan once, automation can continuously replicate and execute that work any number of times across the entire infrastructure automatically.

Putting it All Together

The reality is this automated approach is the only way to effectively meet the requirements of the BOD 23-01 mandate. Automation can apply accepted best practices — or any repetitive network task like those embodied in BOD 23-01 — at scale.

All in all, the BOD 23-01 mandate is a welcome first step toward securing the US federal government's digital footprint. Understanding what is connected and its vulnerability in near real-time will go a long way to identifying potential problems and possible attack vectors before they can be exploited. Federal IT directors must go beyond traditional labor-intensive approaches and consider network automation if they hope to successfully meet the mandate's requirements.

Editors' Choice
Tara Seals, Managing Editor, News, Dark Reading
Jim Broome, President & CTO, DirectDefense
Nate Nelson, Contributing Writer, Dark Reading