CISA Director Jen Easterly announced a new Binding Operational Directive (BOD 23-01) on Monday requiring all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks. This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”
Following are a few of the stringent reporting requirements required under BOD 23-01 that begin in April 2023.
By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:
- Perform automated asset discovery every 7 days. .. at minimum this discovery must cover the entire IPv4 space used by the agency.
- Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.
- All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
- agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.
- Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery.
Typically, attackers know more about your enterprise than you do. They gain initial access into your enterprise, discover all of your assets, and plan angles of attack to achieve their objectives. It’s critical for all organizations, including Federal agencies, to view their enterprises through the eyes of an attacker to ensure they don’t have rogue, misconfigured, or vulnerable assets on their network that could lead to a compromise. The requirements outlined by BOD 23-01 which includes continuous security testing combined with prioritized fix actions integrated into detection engineering practices, is critical to ensuring organizations are prepared to detect and respond to cyberattacks.
This initiative directly concerns network infrastructure and does mention mobile devices but only in the context of agency owned devices. It should be extended to include the increasing threat of the use of downloaded apps on personal devices.