CISA Director Jen Easterly announced a new Binding Operational Directive (BOD 23-01) on Monday requiring all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks. This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”
Following are a few of the stringent reporting requirements required under BOD 23-01 that begin in April 2023.
By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:
- Perform automated asset discovery every 7 days. .. at minimum this discovery must cover the entire IPv4 space used by the agency.
- Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.
- All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
- agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.
- Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery.