It’s no secret that governments are prime cyber attack targets the world over. And why not? They hold very sensitive information that can bring entire nations down. State institutions and political systems have, in fact, been attacked more than 155,000 times in 2023.
The public sector needs means to effectively hold attackers off. So the Cybersecurity and Infrastructure Security Agency (CISA) provided government institutions with a way to defend not just their networks but also their national interests and critical infrastructure with the implementation of Binding Operational Directive (BOD) 23-01. But what is it exactly?
What Is BOD 23-01?
The CISA published BOD 23-01 in October 2022. This directive aims to advance government agencies’ progress toward seeing all of their digital assets and their associated vulnerabilities. Every Federal Civilian Executive Branch (FCEB) enterprise must safeguard their information and information systems against all threats.
The CISA compiled a complete list of FCEB enterprises mandated to adhere to BOD 23-01 for guidance.
BOD 23-01 focuses on two key areas—asset discovery and vulnerability enumeration.
What Are the Building Blocks of BOD 23-01?
According to BOD 23-01, improving operational visibility for a successful cybersecurity program requires asset discovery and vulnerability enumeration.
What Is Asset Discovery?
Organizations can’t have operational visibility without uncovering all of their assets first. They need to identify which of their systems and services are accessible via the Internet. These external assets include domains, subdomains, IP addresses, open ports, cloud storage and services, connected devices, and even shadow IT—practically everything an external attack surface management (EASM) platform tracks in the attack surface discovery phase.
EASM platforms help automate asset discovery for organizations, allowing users to check vital asset information, including the total number of assets categorized into types, along with the assets’ overall health, vulnerabilities, and root assets.
All of the assets, even newly integrated ones, are typically cataloged as soon as they’re network-connected, making asset discovery a continuous instead of a one-time process.
What Is Vulnerability Enumeration?
Vulnerability enumeration, the other process BOD 23-01 requires, identifies and reports suspected vulnerabilities found on public-facing assets. As such, it:
- Detects vulnerable or insufficiently protected operating systems (OSs), applications, open ports, and other public-facing hosts
- Tries to determine outdated versions, missing updates, and misconfigurations
- Validates compliance with or deviations from security policies
- Identifies host attributes and matches them with data on known vulnerabilities like those found in the Common Vulnerabilities and Exposures (CVE) database and the Known Exploited Vulnerabilities (KEV) Catalog
An EASM platform can not only identify vulnerabilities but also prioritize them for remediation. Prioritization is critical in that seeing too many vulnerabilities may overwhelm the security team.
Vulnerability prioritization follows the Common Vulnerability Scoring System (CVSS). Apart from the total number of vulnerabilities, EASM platforms allow users to get more details about each one, including its severity, current remediation status, affected assets, and more.
All the information—a comprehensive asset inventory and their corresponding vulnerabilities—allows security teams to tackle issues based on criticality and impact, speeding up the remediation process.
What Should Federal Agencies Do to Comply with BOD 23-01?
To abide by the mandates of BOD 23-01, government institutions need to enhance their asset visibility, notably by maintaining an up-to-date inventory of all network-connected assets and identifying software vulnerabilities.
Next, they must track how often they enumerate assets, how many of them they can identify, and how current their vulnerability signatures are.
Finally, they should report all their asset and vulnerability information to the CISA’s CDM Federal Dashboard. Automated attack surface management tools can help here by providing downloadable reports, allowing for faster reporting.
Ready to find out how Attaxion continuously discovers assets and scans for vulnerabilities? Kickstart your 30-day trial now!