CISA’s Cybersecurity Panopticon

Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

In November 2021, CISA brought us Binding Operational Directive 22-01. Almost a year later, CISA has unveiled their newest installment, BOD 23-01.

BOD 23-01 is an ambitious step towards strengthening the US Federal Government’s cybersecurity posture in accordance with President Biden’s Executive Order 14028. While the previous directive laid out the requirements regarding vulnerability mitigation and reporting for individual agencies, what we see in 23-01 is a centralization and streamlining of cybersecurity for all Federal Civilian Executive Branch Agencies (FCEB).

Ostensibly, the new directive focuses on asset management and vulnerability enumeration within all FCEB agencies. As one could guess, managing the cybersecurity posture of every asset, including roaming and nomadic devices, across a hundred or so individual agencies is an undertaking that requires a single system.

To combat this issue, CISA has laid out a number of required actions to achieve the following goals:

• Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
• Identify software vulnerabilities, using privileged or client-based means where technically feasible;
• Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
• Provide asset and vulnerability information to CISA’s CDM Federal Dashboard.

The scope of these actions encompasses all FCEB unclassified federal information systems (including information systems used or operated by another entity on behalf of an agency). All reportable information technology or operational technology assets fall within the scope. Only assets like containers or third-party SaaS are excluded.

• The required actions are rigorous by government standards.
• Agencies are expected to perform automated asset discovery every 7 days.
• Initiate vulnerability enumeration across all discovered assets (including nomadic and roaming devices), every 14 days using privileged credentials.
• Vulnerability detection signatures need to be updated within 24 hours of their vendor release.
• All vulnerability enumeration results should be set up for automatic ingestion into the CDM Agency Dashboard.
• Have the ability to perform on-demand asset discovery and vulnerability enumeration within 72 hours of a CISA request.

Within six months of the publication of these requirements, all FCEB agencies are required to collect and report their vulnerability data to CISA. By 3 April 2023,

agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.

If you aren’t aware of what the Continuous Diagnostics and Mitigation (CDM) program is, think of it as a vulnerability management system that encompasses all FCEB agencies. Information flows from assets within individual agencies to an agency-level CDM dashboard. The data from all agencies is then fed to the Federal Dashboard. This upwards accumulation of data allows CISA to provide a status report to the Secretary of Homeland Security, the Director of OMB, and the National Cybersecurity Director. It also enables CISA to monitor agency compliance.

Seems like CISA is cutting out the middleman when it comes to vulnerability reporting and mitigation to create a cybersecurity monolith.

#CISA #Binding_Operational_Directive #CDMprogram #FCEB

Image by DeepMind