The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) to improve asset visibility and vulnerability detection on federal networks.
Named BOD 23–01 and becoming effective on April 03, 2023, the new directive requires federal civilian executive branch (FCEB) agencies to perform automated asset discovery every seven days.
“While many methods and technologies can be used to accomplish this task, at minimum, this discovery must cover the entire IPv4 space used by the agency,” reads the document.
Further, the directive calls for FCEB agencies to initiate vulnerability enumeration across all discovered assets (including all discovered nomadic/roaming devices) every 14 days, and automated ingestion of vulnerability enumeration results into the Continuous Diagnostics and Mitigation (CDM) Agency Dashboard within 72 hours of discovery.
Through BOD 23–01, CISA also mandated the development and maintenance of operational capability to initiate on–demand asset discovery and vulnerability enumeration within 72 hours of receiving a request from CISA. FCEB agencies are required provide the available results to CISA within seven days of submission.
“Within six months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard,” reads BOD 23–01.
“This data will allow for CISA to automate oversight and monitoring of agency scanning performance, including the measurement of scanning cadence, rigor, and completeness.”
As part of the directions unveiled in the directive, by April 3, 2023, agencies and CISA will deploy an updated CDM Dashboard configuration enabling access to object–level vulnerability enumeration data for CISA analysts.
BOD 23–01 only applies to FCEB agencies, but CISA recommends all stakeholders review and incorporate the standards it sets forth.
“Doing so will ensure asset management and vulnerability detection practices that will strengthen their organization’s cyber–resilience,” the Agency wrote.
The directive’s publication comes a month after CISA and other government agencies introduced new guidance for developers aimed to improve the security of the software supply chain.