CISA Binding Operational Directive 23-01: A Mandate for Attack Surface and Vulnerability Management in Federal Networks

CISA has recently issued a Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks, which seeks to improve asset visibility and vulnerability enumeration across the federal agency networks.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

Although BOD 23-01 is only applicable to federal civilian executive branch (FCEB) agencies, CISA recommends all stakeholders review and incorporate the standards it sets forth. Doing so will ensure asset / attack surface management and vulnerability management practices that will strengthen their organization’s cyber resilience.

Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk. 

The purpose of this Binding Operational Directive is to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities. 

The requirements of this Directive focus on two core activities essential to improving operational visibility for a successful cybersecurity program: asset discovery and vulnerability enumeration.

• Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.
• Vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. It detects host attributes (e.g., operating systems, applications, open ports, etc.), and attempts to identify outdated software versions, missing updates, and misconfigurations. It validates compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities. Understanding an asset’s vulnerability posture is dependent on having appropriate privileges, which can be achieved through credentialed network-based scans or a client installed on the host endpoint.

Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query.

Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation.

The Goals of the CISA Binding Operational Directive 23-01

• Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
• Identify software vulnerabilities, using privileged, or client-based means where technically feasible;
• Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
• Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.

In terms of scope, these required actions apply to any FCEB unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency.

This Directive applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. The scope includes, but is not limited to, servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers — whether in on-premises, roaming, and cloud operated deployment models. The scope excludes ephemeral assets, such as containers and third-party-managed software as a service (SaaS) solutions.

Required Actions for CISA Binding Operational Directive 23-01

In terms of required actions going forward, by April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:

1. Perform automated asset discovery every 7 days. At minimum this discovery must cover the entire IPv4 space used by the agency.
2. Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.
   1. Enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within this window.
   2. To the maximum extent possible and where available technologies support it, all vulnerability enumeration performed on managed endpoints (e.g., servers, workstations, desktops, laptops) and managed network devices (e.g., routers, switches, firewalls) must be conducted with privileged credentials.
   3. All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
   4. Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.
   5. All alternative asset discovery and vulnerability enumeration methods (e.g., for systems with specialized equipment or those unable to utilize privileged credentials) must be approved by CISA.
3. Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion.
4. Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.

1. Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. This data will allow for CISA to automate oversight and monitoring of agency scanning performance including the measurement of scanning cadence, rigor, and completeness.
2. By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts.

CISA also published an Implementation Guidance for this Directive – which can be found here: https://www.cisa.gov/implementation-guidance-binding-operational-directive-23-01 – that includes a set of FAQs addressing most commonly asked implementation questions.

Following the New Directive

Due to the incidence and relevance of cyber attacks that have been hitting U.S federal networks, CISA decided to issue this binding Directive mandating any FCEB unclassified federal information system to be mapped in a formal inventory process and vulnerability assessed every 7 and 14 days respectively. This Directive issuance also highlights the centrality of the concept of attack surface and vulnerability management as part of the overall agency’s threat management strategy.

NopSec Unified VRM, with its focus on vulnerability prioritization, attack surface risk management, and asset management, provides an easy-to-deploy vulnerability risk management framework through a SaaS Service that can be used to easily implement the CISA Directive 23-01.

See the risk-based vulnerability management solution in action. Schedule a demo.