- Use Cases
This week, the Cybersecurity and Infrastructure Security Agency (CISA) issued binding operational directive (BOD) 23-01 setting baseline requirements for civilian agencies to identify and inventory assets and vulnerabilities on federal networks. Learn what’s in scope, implementation guidelines and details on how federal agencies leverage cybersecurity asset management from Axonius to meet this directive.
On October 3, 2022 the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 23-01 - Improving Asset Visibility and Vulnerability Detection on Federal Networks, a compulsory order meant to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” The order centers around two core areas of focus:
The BOD gives examples of asset and vulnerability discovery approaches including active scanning, passive flow monitoring, log queries, and API queries. It states that many agencies (including several Axonius customers) have addressed these visibility challenges through their Continuous Diagnostics and Mitigation (CDM) implementations.
While the BOD states that “Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation,” it states that the goal of the directive is to achieve the following goals without prescribing exactly how to do it.
The order specifies using privileged or client-based means where technically feasible. Watch the following video to see how Axonius enables federal agencies to see all of their assets and highlights use cases including agent coverage, agent health, and patch management.
The order requires federal agencies to understand what coverage of its assets it achieves, and how current its vulnerability signatures are.
Finally, agencies are required to provide asset and vulnerability information to CISA’s CDM federal dashboard.
The BOD applies to “any Federal Civilian Executive Branch (FCEB) unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”
Additionally, the BOD defines assets as:
“all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. For the purpose of this directive, an IP-addressable networked asset is defined as any reportable (i.e., non-ephemeral) information technology or operational technology asset that is assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, regardless of the environment it operates in. The scope includes, but is not limited to, servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers — whether in on-premises, roaming, and cloud operated deployment models. The scope excludes ephemeral assets, such as containers and third-party-managed software as a service (SaaS) solutions.”
By April 3, 2023, all FCEB Agencies are required to:
In addition to the BOD, CISA released an implementation guidance document, defining terms and addressing frequently asked questions.
Q: How does the pre-existing requirement to perform endpoint detection and response (EDR) differ from the requirements of this BOD? To what extent does EDR address asset visibility needs?
A: Asset visibility is a prerequisite for determining where to deploy EDR. While most EDR tools do not provide vulnerability information, the directive gives agencies the flexibility to use any tool that provides credential or client-level vulnerability information. If an agency deploys EDR tools that can provide vulnerability information, those tools can be used in place of a client-based scanner.
U.S. federal agencies trust Axonius to comply with cybersecurity regulations, guidelines, and mandates like Zero Trust, the NIST Cybersecurity Framework, CDM, FISMA, and more. Contact Axonius Federal Systems, and get a demo to learn more about addressing CISA Binding Operational Directive 23-01