On June 13, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. In this post, we'll look at what's covered in BOD 23-02 and how Axonius federal customers are able to identify devices in scope.
What is BOD 23-02: Mitigating the Risk From Internet-Exposed Management Interfaces?
This Directive requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.
What is the scope of BOD 23-02?
BOD 23-02 defines a networked management interface as a "dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself."
It then specifies that the requirements in the Directive apply only to devices that meet both of the following:
- Devices residing on or supporting federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out-of-band server management interfaces (such as iLo and iDRAC).
- Devices for which the management interfaces are using network protocols for remote management over public internet, including, but not limited to: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Teletype Network (Telnet), Trivial File Transfer Protocol (TFTP), Remote Desktop Protocol (RDP), Remote Login (rlogin), Remote Shell (RSH), Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and X11 (X Window System).
This Directive does NOT apply to web applications and interfaces used for managing Cloud Service Provider (CSP) offerings including, but not limited to, Application Programming Interfaces (APIs) or management portals.
How can federal agencies identify devices covered by BOD 23-02?
Here's how federal agencies using Axonius can use queries to identify those devices in scope of BOD 23-02:
What are the required actions specified in BOD 23-02?
All federal civilian executive-branch agencies are required to comply with the following actions for all federal information systems hosted by agencies or third parties on their behalf.
- Within 14 days of notification by CISA or discovery by an agency of a networked management interface in scope for this Directive, agencies will take at least one of the following actions:
- Remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
- Deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).
- Agencies will implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive, have at least one of the following protections in place:
- The interface is removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
- The interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).
How can federal agencies work with Axonius to identify devices related to BOD 23-02?
Federal agencies that are current Axonius customers can contact their Axonius Federal Systems Account Executive or Technical Account Manager to learn more about queries to uncover devices related to BOD 23-02. We will be happy to work with your team to customize a query that works with your unique environment.