On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks, a compulsory order intended to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”
BOD 23-01 mandates that Federal Civilian Executive Branch (FCEB) agencies complete a series of required actions within six months, or by April 3, 2023. CISA offers implementation guidance, but still – with this deadline fast approaching. Are you ready?
No problem, right? Hasn’t asset visibility and classification been mandated under CISA’s Continuous Diagnostics and Mitigation (CDM) Program since 2012? Yes, but BOD 23-01’s specific reporting requirements may necessitate that you upgrade your CDM solutions to ensure full and seamless compliance.
Here’s what to know and how to make sure you’re prepared for the deadline.
What’s new in BOD-23-01?
CISA traditionally leads with a “carrot” but follows up with a “stick” to get agencies to the desired end state. For CDM, BOD 23-01 is that stick. It directs the FCEB to take required actions around asset discovery and vulnerability enumeration on all FCEB unclassified information systems that maintain agency information. And it applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols.
Under CDM, IT security programs should maintain an asset inventory. Given the ever-expanding IT landscape paired with evolving threats posed by nation state actors and sophisticated cyber criminals, maintaining comprehensive and real-time visibility can be a challenge. It comes as no surprise that the Zero Trust Strategy also requires a complete, accurate and up-to-date inventory of every device that agencies operate by 2024.
The CDM Program also requires the FCEB to report asset visibility and vulnerability enumeration. While you may not have struggled with the metrics in the past, be prepared to step up your game because those reporting requirements are changing:
By April 3, CISA will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.
The updated dashboard is long overdue and will also facilitate annual Federal Information Security Modernization Act (FISMA) metric reporting on the total number of networked assets your agency has over a given period.
Accurate reporting results from complete visibility. If you can achieve the first requirement, the second will follow.
Included adoption engineering services
Agencies that have participated in CDM over the last decade have the technology and processes in place to comply with the new requirements today. Unfortunately, as with many long-running programs, constant changes to the network, coupled with little enforcement, can drive assets out of alignment. They include everyday changes such as device decay, software failure, new device types connecting and other unexpected interoperability challenges. Then there’s staff turnover. Maybe the resource who used to manage your CDM program is long gone, with no replacement?
Often, agencies must scramble to meet short BOD deadlines, either by hiring a government employee, bringing on a contractor or filling out a Request for Services (RFS) for a systems integrator. Each option is costly and may not yield results in time.
The good news is:
- If you’re one of the 164 federal civilian agencies that uses Forescout® eyeSight and Forescout® eyeControl for CDM, you already have what you need to meet the new requirements. You probably just need some tuning.
- Included in Forescout’s contract with our federal civilian agency customers are pre-paid adoption engineering services to ensure your continued success. We’ll quickly parachute in the right expert to help put you back on track, without jumping through any hoops.
Need help? Just ask.
Many federal civilian agencies are already taking advantage of the included Forescout adoption engineering services. If you have Forescout eyeSight and Forescout eyeControl licenses and need help meeting the BOD-23-01 April 3 deadline, contact your account representative.