This week, the Cybersecurity and Infrastructure Security Agency (CISA) issued binding operational directive (BOD) 23-01 setting baseline requirements for civilian agencies to identify and inventory assets and vulnerabilities on federal networks. Learn what’s in scope, implementation guidelines and details on how federal agencies leverage cybersecurity asset management from Axonius to meet this directive.

Binding Operational Directive 23-01 (BOD 23-01) 

On October 3, 2022 the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 23-01 - Improving Asset Visibility and Vulnerability Detection on Federal Networks, a compulsory order meant to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” The order centers around two core areas of focus:

1. Asset Discovery - Defined in the order as “an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts).” The order also specifies asset discovery should be non-intrusive and “usually does not require special logical access privileges.”
2. Vulnerability Enumeration - The BOD categorizes vulnerability enumeration as the ability to identify and report on vulnerabilities on those discover assets, including:
1. Operating Systems
2. Software and Version
3. Missing Updates
4. Misconfigurations

Asset and Vulnerability Discovery and Requirements from Binding Operational Directive 23-01

The BOD gives examples of asset and vulnerability discovery approaches including active scanning,  passive flow monitoring, log queries, and API queries. It states that many agencies (including several Axonius customers) have addressed these visibility challenges through their Continuous Diagnostics and Mitigation (CDM) implementations. 

While the BOD states that “Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation,” it states that the goal of the directive is to achieve the following goals without prescribing exactly how to do it.

Maintain An Up-to-Date Inventory of Network Assets

Identify Software Vulnerabilities 

The order specifies using privileged or client-based means where technically feasible. Watch the following video to see how Axonius enables federal agencies to see all of their assets and highlights use cases including agent coverage, agent health, and patch management.

Track How Often the Agency Enumerates Its Assets 

The order requires federal agencies to understand what coverage of its assets it achieves, and how current its vulnerability signatures are. 

Provide Asset and Vulnerability Information to CISA’s CDM Federal Dashboard.

Finally, agencies are required to provide asset and vulnerability information to CISA’s CDM federal dashboard. 

What is the Scope of Binding Operational Directive 23-01?

The BOD applies to “any Federal Civilian Executive Branch (FCEB) unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

Additionally, the BOD defines assets as:

“all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. For the purpose of this directive, an IP-addressable networked asset is defined as any reportable (i.e., non-ephemeral) information technology or operational technology asset that is assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, regardless of the environment it operates in. The scope includes, but is not limited to, servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers — whether in on-premises, roaming, and cloud operated deployment models. The scope excludes ephemeral assets, such as containers and third-party-managed software as a service (SaaS) solutions.”

What Actions Are Required?

By April 3, 2023, all FCEB Agencies are required to:

1. Perform automated asset discovery every 7 days - Axonius federal customers are able to automate asset discovery as an ongoing, scheduled process and on demand. 
2. Initiate vulnerability enumeration across all assets “including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” By connecting to all tools that discover asset vulnerabilities, Axonius is able to provide federal agencies with  comprehensive visibility of all vulnerabilities and their severity levels. 
3. Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion. Axonius federal customers are able to automate vulnerability data reporting into CDM dashboards immediately. 
4. Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request. This capability is a core Axonius feature, letting federal agencies respond to a CISA request immediately. 
5. Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. 
6. By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.  

Implementation Guidance for CISA Binding Operational Directive 23-01

In addition to the BOD, CISA released an implementation guidance document, defining terms and addressing frequently asked questions. 

For example:

Q: How does the pre-existing requirement to perform endpoint detection and response (EDR) differ from the requirements of this BOD? To what extent does EDR address asset visibility needs?

A: Asset visibility is a prerequisite for determining where to deploy EDR. While most EDR tools do not provide vulnerability information, the directive gives agencies the flexibility to use any tool that provides credential or client-level vulnerability information. If an agency deploys EDR tools that can provide vulnerability information, those tools can be used in place of a client-based scanner.

How Can Federal Agencies Use Axonius to Address CISA Binding Operational Directive 23-01?

U.S. federal agencies trust Axonius to comply with cybersecurity regulations, guidelines, and mandates like Zero Trust, the NIST Cybersecurity Framework, CDM, FISMA, and more. Contact Axonius Federal Systems, and get a demo to learn more about addressing CISA Binding Operational Directive 23-01