Key takeaway: If you aren’t already doing continuous automated asset discovery and vulnerability enumeration on discovered assets, now is a good time to get started. [259 words]
What: The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued Binding Operational Directive (BOD) 23-01 that requires all federal, executive branch, and agencies to implement measurable processes for ensuring continuous visibility over agency assets and associated vulnerabilities. The mandates apply to all Federal Civilian Executive Branch unclassified federal information systems, including those operated by entities on behalf of the government.
Why: Many organizations have lost visibility over all the network-addressable IP assets connected to their network because of the growing use of cloud, mobile and IoT technologies. The recent shift to WFH and hybrid work models has exacerbated this lack of visibility and heightened enterprise exposure to data breaches and other security incidents. CISA’s BOD is welcome recognition of one inescapable fact in cybersecurity: you cannot protect what you cannot see.
How: The mandate requires agencies to meet the following objectives without prescribing how they need to do it:
- Maintain an up-to-date inventory of all networked assets
- Identity software vulnerabilities in them
- Track how often the agency enumerates its assets and vulnerabilities, what coverage it achieves or how current its vulnerabilities signatures are
- Provide the information to CISA’s CDM Federal Dashboard on a specified basis.
The details:
CISA BINDING OPERATIONAL DIRECTIVE 23-01
CISA guidance on protecting an organization’s critical assets