CISA BOD 23-01: Identifying Asset Visibility and Vulnerability

A new binding operational directive (BOD) announced by the Cybersecurity and Infrastructure Security Agency (CISA) is giving federal, executive branch departments, and agencies less than 6 months to act to better protect their assets. BOD 23-01 aims to make ‘measurable progress’ toward enhancing visibility into agency assets and associated vulnerabilities. It focuses on two areas:

1. Asset Discovery of all IP-addressable networked assets reached over IPv4 and IPv6 protocols.
2. Vulnerability Enumeration which identifies and reports suspected vulnerabilities of those assets, such as outdated and unpatched operating systems and software and any non-compliance issues that could put data at risk.

The growing cost of cybercrime

The growing frequency and cost of cyberattacks are huge causes for concern for governments, businesses, and individuals. Cybercrime cost US businesses more than $6.9 billion in 2021 and a study released last year found that in 93% of cases a hacker can breach a company’s network perimeter and gain access to local resources. On average that can take just two days!

Public agencies are a clear target but by gaining greater visibility of your assets and detecting vulnerabilities early, you can reduce that risk. CISA wants to stop headlines like those in 2020 when an attack impacted multiple government departments as well as other non-governmental organizations. Attackers focused on the supply chain to gain entry and accessed vast quantities of information.

Method of asset and vulnerability discovery

To protect assets you need complete visibility into what you have, where they are located, who is using them, and what is running on them. You need to be sure everything is patched, is using the latest OS, and complies with your organization’s security policies. CISA notes a variety of asset discovery methods, such as active scanning, passive flow monitoring, querying logs or API query for software defined infrastructure. This will enable FCEB agencies to:

• Maintain an updated view of networked assets.
• Identify software vulnerabilities.
• Track how often the agency enumerates its assets to check for vulnerabilities.
• Provide the details on asset and vulnerabilities to CISA’s CDM Federal Dashboard.

Required Actions

By April 3, 2023, all FCEB agencies must:

• Perform automated asset discovery every 7 days.
• Initiate vulnerability enumeration across all assets, including ‘nomadic’ assets such as laptops, every 14 days. Where capable, this should also be performed on mobile devices. CISA notes that larger enterprises may not be able to complete the full vulnerability discovery within 14 days, but they should implement these activities at regular intervals.
• Ensure all vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
• Feed the results of vulnerability enumeration into the CDM Agency Dashboard within 72 hours of completion.
• Be able to initiate on-demand asset discovery and vulnerability enumeration within 72 hours of receiving a request from CISA, providing available results within 7 days of that request.

Also by April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.  

Within 6 months of CISA publishing requirements for vulnerability enumeration and performance data, all FCEB agencies must initiate the collection and reporting of vulnerability performance data under the directive, to the CDM Dashboard for oversight and monitoring purposes.

Resolving issues before they arise

To manage asset discovery and vulnerability enumeration within the timeline set by CISA is intelligent automation consider a digital platform conductor (DPC), which has been recognized in four Gartner hype cycles. A DPC connects to, collects, and analyzes information from IT asset discovery and management tools, identifies security vulnerabilities, and orchestrates and automates workflows to quickly mitigate risks.

Using a DPC you can:

• Comply with the weekly automated asset discovery and on-demand asset-discovery requirements with an always up-to-date view of your entire IT estate.
• Easily identify any vulnerabilities, such as outdated OS, unpatched software, or non-compliance to regulations by querying data to comply with the 14-day timeframe and take a prescribed action. For example, systems that have been identified as requiring a patch will be automatically added to a workflow to install the patch.
• Leverage connectors to automatically update the CDM Agency Dashboard with curated, real-time data.
• Create daily automated scans to identify any outdated vulnerability detection signatures (VDS) to update and comply with BOD 23-01 requirements.

Using the orchestration capabilities of a DPC you can also automate many of the workflows required to secure any vulnerabilities, including software update or patches, testing and more to reduce risks.

Book a demo with ReadyWorks to understand how you can leverage a DPC to comply with CIS BOD 23-01.