www.cisa.gov
Open in
urlscan Pro
2a02:26f0:480:5af::447a
Public Scan
Submitted URL: https://hello.cyberark.com/api/mailings/click/PMRGSZBCHI4TMMBRGA4SYITVOJWCEORCNB2HI4DTHIXS653XO4XGG2LTMEXGO33WF5RGS3TENFXGO...
Effective URL: https://www.cisa.gov/news-events/directives/bod-23-01-improving-asset-visibility-and-vulnerability-detection-federal-...
Submission: On June 18 via manual from IN — Scanned from DE
Effective URL: https://www.cisa.gov/news-events/directives/bod-23-01-improving-asset-visibility-and-vulnerability-detection-federal-...
Submission: On June 18 via manual from IN — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
CISA Central
2023 Year In Review
Contact Us
Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Directives
Share:
NEWS & EVENTS
* News
* Events
* Cybersecurity Alerts & Advisories
* Directives
* Request a CISA Speaker
* Congressional Testimony
* CISA Conferences
* CISA Live!
Binding Operational Directives
BOD 23-01: IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL
NETWORKS
October 03, 2022
Related topics:
Cybersecurity Best Practices
This page contains a web-friendly version of the Cybersecurity and
Infrastructure Security Agency’s Binding Operational Directive 23-01 - Improving
Asset Visibility and Vulnerability Detection on Federal Networks.
A binding operational directive is a compulsory direction to federal, executive
branch, departments and agencies for purposes of safeguarding federal
information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2)
of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland
Security (DHS) to develop and oversee the implementation of binding operational
directives. Federal agencies are required to comply with these directives. 44
U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined
“national security systems” or to certain systems operated by the Department of
Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2),
(e)(3). This directive refers to the systems to which it applies as “Federal
Civilian Executive Branch” systems, and to agencies operating those systems as
“Federal Civilian Executive Branch” agencies.
BACKGROUND
Continuous and comprehensive asset visibility is a basic pre-condition for any
organization to effectively manage cybersecurity risk. Accurate and up-to-date
accounting of assets residing on federal networks is also critical for CISA to
effectively manage cybersecurity for the Federal Civilian Executive Branch
(FCEB) enterprise.
The purpose of this Binding Operational Directive is to make measurable progress
toward enhancing visibility into agency assets and associated vulnerabilities.
While the requirements in this Directive are not sufficient for comprehensive,
modern cyber defense operations, they are an important step to address current
visibility challenges at the component, agency, and FCEB enterprise level. The
requirements of this Directive focus on two core activities essential to
improving operational visibility for a successful cybersecurity program: asset
discovery and vulnerability enumeration.
* Asset discovery is a building block of operational visibility, and it is
defined as an activity through which an organization identifies what network
addressable IP-assets reside on their networks and identifies the associated
IP addresses (hosts). Asset discovery is non-intrusive and usually does not
require special logical access privileges.
* Vulnerability enumeration identifies and reports suspected vulnerabilities on
those assets. It detects host attributes (e.g., operating systems,
applications, open ports, etc.), and attempts to identify outdated software
versions, missing updates, and misconfigurations. It validates compliance
with or deviations from security policies by identifying host attributes and
matching them with information on known vulnerabilities. Understanding an
asset's vulnerability posture is dependent on having appropriate privileges,
which can be achieved through credentialed network-based scans or a client
installed on the host endpoint.
Discovery of assets and vulnerabilities can be achieved through a variety of
means, including active scanning, passive flow monitoring, querying logs, or in
the case of software defined infrastructure, API query. Many agencies' existing
Continuous Diagnostics and Mitigation (CDM) implementations leverage such means
to make progress toward intended levels of visibility. Asset visibility is not
an end in itself, but is necessary for updates, configuration management, and
other security and lifecycle management activities that significantly reduce
cybersecurity risk, along with exigent activities like vulnerability
remediation. The goal of this Directive is for agencies to comprehensively
achieve the following outcomes without prescribing how to do so:
* Maintain an up-to-date inventory of networked assets as defined in the scope
of this directive;
* Identify software vulnerabilities, using privileged or client-based means
where technically feasible;
* Track how often the agency enumerates its assets, what coverage of its assets
it achieves, and how current its vulnerability signatures are; and
* Provide asset and vulnerability information to CISA's CDM Federal Dashboard.
Agencies may request CISA's assistance in conducting an engineering survey to
baseline current asset management capabilities. CISA will work with requesting
agencies to provide technical and program assistance to resolve gaps, optimize
scanning, and support achieving the required actions in this Directive.
This Directive's requirements advance the priorities set forth in the Executive
Order 14028 on Improving the Nation's Cybersecurity, specifically Sec. 7
(Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal
Government Networks), and provide operational clarity in achieving policy set
forth in previous OMB Memoranda, including M-21-02, M-22-05, and M-22-09.
Compliance with this Directive also supports BOD 22-01, Managing Unacceptable
Risk Vulnerabilities in Federal Enterprise, as it will enable agencies to
enhance the management of known exploited vulnerabilities that can be detected
using automated tools.
SCOPE
These required actions apply to any FCEB unclassified federal information
system, including any federal information system used or operated by another
entity on behalf of an agency, that collects, processes, stores, transmits,
disseminates, or otherwise maintains agency information.
This Directive applies to all IP-addressable networked assets that can be
reached over IPv4 and IPv6 protocols. For the purpose of this directive, an
IP-addressable networked asset is defined as any reportable (i.e.,
non-ephemeral) information technology or operational technology asset that is
assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks,
regardless of the environment it operates in. The scope includes, but is not
limited to, servers and workstations, virtual machines, routers and switches,
firewalls, network appliances, and network printers — whether in on-premises,
roaming, and cloud operated deployment models. The scope excludes ephemeral
assets, such as containers and third-party-managed software as a service (SaaS)
solutions.
REQUIRED ACTIONS
1. By April 3, 2023, all FCEB agencies are required to take the following
actions on all federal information systems in scope of this directive:
1. Perform automated asset discovery every 7 days. While many methods and
technologies can be used to accomplish this task, at minimum this
discovery must cover the entire IPv4 space used by the agency.
2. Initiate vulnerability enumeration across all discovered assets,
including all discovered nomadic/roaming devices (e.g., laptops), every
14 days.
1. CISA understands that in some instances achieving full vulnerability
discovery on the entire enterprise may not complete in 14 days.
Enumeration processes should still be initiated at regular intervals
to ensure all systems within the enterprise are scanned on a regular
cadence within this window.
2. To the maximum extent possible and where available technologies
support it, all vulnerability enumeration performed on managed
endpoints (e.g., servers, workstations, desktops, laptops) and managed
network devices (e.g., routers, switches, firewalls) must be conducted
with privileged credentials (for the purpose of this directive, both
network-based credentialed scans and client- or agent-based
vulnerability detection methods are viewed as meeting this
requirement).
3. All vulnerability detection signatures used must be updated at an
interval no greater than 24 hours from the last vendor-released
signature update.
4. Where the capability is available, agencies must perform the same type
of vulnerability enumeration on mobile devices (e.g., iOS and Android)
and other devices that reside outside of agency on-premises networks.
5. All alternative asset discovery and vulnerability enumeration methods
(e.g., for systems with specialized equipment or those unable to
utilize privileged credentials) must be approved by CISA.
3. Initiate automated ingestion of vulnerability enumeration results (i.e.,
detected vulnerabilities) into the CDM Agency Dashboard within 72 hours
of discovery completion (or initiation of a new discovery cycle if
previous full discovery has not been completed).
4. Develop and maintain the operational capability to initiate on-demand
asset discovery and vulnerability enumeration to identify specific assets
or subsets of vulnerabilities within 72 hours of receiving a request from
CISA and provide the available results to CISA within 7 days of request.
1. CISA understands that in some instances agencies may not be able to
complete a full vulnerability discovery on the entire enterprise
within this period. It is still necessary to initiate the enumeration
process within this time period as any available results will provide
CISA and agencies situational awareness in response to imminent
threats.
2. Within 6 months of CISA publishing requirements for vulnerability
enumeration performance data, all FCEB agencies are required to initiate the
collection and reporting of vulnerability enumeration performance data, as
relevant to this directive, to the CDM Dashboard. This data will allow for
CISA to automate oversight and monitoring of agency scanning performance
including the measurement of scanning cadence, rigor, and completeness.
3. By April 3, 2023, agencies and CISA, through the CDM program, will deploy an
updated CDM Dashboard configuration that enables access to object-level
vulnerability enumeration data for CISA analysts, as authorized in
the Executive Order on Improving the Nation’s Cybersecurity.
REPORTING REQUIREMENTS AND METRICS
1. Six, twelve, and eighteen months after the issuance, FCEB agencies will
either:
(1) Provide CISA (through a reporting interface in CyberScope) a progress
report to include any obstacles, dependencies, or other issues that may
prevent them from meeting the directive requirements and expected completion
dates, OR
(2) Work with CISA through the CDM program review process outlined in OMB
M-22-05, or superseding guidance, to identify and resolve gaps or issues
that prevent full operationalization of asset management capabilities,
including those requirements in this directive.
CISA ACTIONS
1. Within 6 months of issuance, CISA will publish data requirements for
agencies to provide machine-level vulnerability enumeration performance data
in a common data schema.
2. Within 18 months of issuance, CISA will review this directive to ensure the
requirements remain relevant to the cybersecurity landscape.
3. Annually, by the end of each fiscal year, CISA will provide a status report
to the Secretary of Homeland Security, the Director of OMB, and the National
Cyber Director identifying cross-agency status, agency asset discovery and
vulnerability management performance indicators, and outstanding issues in
implementation of this Directive (scanning performance monitoring data,
including the measurement of scanning cadence, rigor, and completeness).
Additionally, CISA will report quarterly progress to OMB.
4. CISA will monitor agency compliance with this Directive and will provide
assistance upon request to support agency implementation.
IMPLEMENTATION GUIDANCE
The purpose of the Implementation Guidance document is to help federal agencies
interpret and implement CISA’s Binding Operational Directive (BOD) 23-01. While
the primary audience for this document is Federal Civilian Executive Branch
(FCEB) agencies, other entities may find the content useful. At a minimum, CISA
expects FCEB agencies to meet or exceed the guidance in this document. The
guidance seeks to answer the most common questions asked by federal agencies.
CISA will update this document with commonly asked questions and as new
information becomes available.
RESOURCES AND CONTACT INFORMATION
General information, assistance, and reporting
– cyberdirectives@cisa.dhs.gov(link sends email).
TAGS
Topics
Cybersecurity Best Practices
RELATED DIRECTIVES
Jun 13, 2023
BOD 23-02: IMPLEMENTATION GUIDANCE FOR MITIGATING THE RISK FROM INTERNET-EXPOSED
MANAGEMENT INTERFACES
Jun 13, 2023
BOD 23-02: MITIGATING THE RISK FROM INTERNET-EXPOSED MANAGEMENT INTERFACES
Oct 03, 2022
BOD 23-01: IMPLEMENTATION GUIDANCE FOR IMPROVING ASSET VISIBILITY AND
VULNERABILITY DETECTION ON FEDERAL NETWORKS
Nov 03, 2021
BOD 22-01: REDUCING THE SIGNIFICANT RISK OF KNOWN EXPLOITED VULNERABILITIES
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Budget and Performance
* DHS.gov
* Equal Opportunity & Accessibility
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback