BOD 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 23-01 - Improving Asset Visibility and Vulnerability Detection on Federal Networks.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives. Federal agencies are required to comply with these directives. 44 U.S.C. § 3554(a)(1)(B)(ii). These directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.

Background

Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.

The purpose of this Binding Operational Directive is to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities. While the requirements in this Directive are not sufficient for comprehensive, modern cyber defense operations, they are an important step to address current visibility challenges at the component, agency, and FCEB enterprise level. The requirements of this Directive focus on two core activities essential to improving operational visibility for a successful cybersecurity program: asset discovery and vulnerability enumeration.

• Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.
• Vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. It detects host attributes (e.g., operating systems, applications, open ports, etc.), and attempts to identify outdated software versions, missing updates, and misconfigurations. It validates compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities. Understanding an asset's vulnerability posture is dependent on having appropriate privileges, which can be achieved through credentialed network-based scans or a client installed on the host endpoint.

Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies' existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility. Asset visibility is not an end in itself, but is necessary for updates, configuration management, and other security and lifecycle management activities that significantly reduce cybersecurity risk, along with exigent activities like vulnerability remediation. The goal of this Directive is for agencies to comprehensively achieve the following outcomes without prescribing how to do so:

• Maintain an up-to-date inventory of networked assets as defined in the scope of this directive;
• Identify software vulnerabilities, using privileged or client-based means where technically feasible;
• Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
• Provide asset and vulnerability information to CISA's CDM Federal Dashboard.

Agencies may request CISA's assistance in conducting an engineering survey to baseline current asset management capabilities. CISA will work with requesting agencies to provide technical and program assistance to resolve gaps, optimize scanning, and support achieving the required actions in this Directive.

This Directive's requirements advance the priorities set forth in the Executive Order 14028 on Improving the Nation's Cybersecurity, specifically Sec. 7 (Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks), and provide operational clarity in achieving policy set forth in previous OMB Memoranda, including M-21-02, M-22-05, and M-22-09. Compliance with this Directive also supports BOD 22-01, Managing Unacceptable Risk Vulnerabilities in Federal Enterprise, as it will enable agencies to enhance the management of known exploited vulnerabilities that can be detected using automated tools.

Scope

These required actions apply to any FCEB unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

This Directive applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. For the purpose of this directive, an IP-addressable networked asset is defined as any reportable (i.e., non-ephemeral) information technology or operational technology asset that is assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, regardless of the environment it operates in. The scope includes, but is not limited to, servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers — whether in on-premises, roaming, and cloud operated deployment models. The scope excludes ephemeral assets, such as containers and third-party-managed software as a service (SaaS) solutions.

Required Actions

1. By April 3, 2023, all FCEB agencies are required to take the following actions on all federal information systems in scope of this directive:
   1. Perform automated asset discovery every 7 days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency.
   2. Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.
      1. CISA understands that in some instances achieving full vulnerability discovery on the entire enterprise may not complete in 14 days. Enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within this window.
      2. To the maximum extent possible and where available technologies support it, all vulnerability enumeration performed on managed endpoints (e.g., servers, workstations, desktops, laptops) and managed network devices (e.g., routers, switches, firewalls) must be conducted with privileged credentials (for the purpose of this directive, both network-based credentialed scans and client- or agent-based vulnerability detection methods are viewed as meeting this requirement).
      3. All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.
      4. Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.
      5. All alternative asset discovery and vulnerability enumeration methods (e.g., for systems with specialized equipment or those unable to utilize privileged credentials) must be approved by CISA.
   3. Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion (or initiation of a new discovery cycle if previous full discovery has not been completed).
   4. Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.
      1. CISA understands that in some instances agencies may not be able to complete a full vulnerability discovery on the entire enterprise within this period. It is still necessary to initiate the enumeration process within this time period as any available results will provide CISA and agencies situational awareness in response to imminent threats.
2. Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard. This data will allow for CISA to automate oversight and monitoring of agency scanning performance including the measurement of scanning cadence, rigor, and completeness.
3. By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.  

Reporting Requirements and Metrics

1. Six, twelve, and eighteen months after the issuance, FCEB agencies will either:
   (1) Provide CISA (through a reporting interface in CyberScope) a progress report to include any obstacles, dependencies, or other issues that may prevent them from meeting the directive requirements and expected completion dates, OR
   (2) Work with CISA through the CDM program review process outlined in OMB M-22-05, or superseding guidance, to identify and resolve gaps or issues that prevent full operationalization of asset management capabilities, including those requirements in this directive.

CISA Actions

1. Within 6 months of issuance, CISA will publish data requirements for agencies to provide machine-level vulnerability enumeration performance data in a common data schema.

2. Within 18 months of issuance, CISA will review this directive to ensure the requirements remain relevant to the cybersecurity landscape.
3. Annually, by the end of each fiscal year, CISA will provide a status report to the Secretary of Homeland Security, the Director of OMB, and the National Cyber Director identifying cross-agency status, agency asset discovery and vulnerability management performance indicators, and outstanding issues in implementation of this Directive (scanning performance monitoring data, including the measurement of scanning cadence, rigor, and completeness). Additionally, CISA will report quarterly progress to OMB.
4. CISA will monitor agency compliance with this Directive and will provide assistance upon request to support agency implementation.

Implementation Guidance

The purpose of the Implementation Guidance document is to help federal agencies interpret and implement CISA’s Binding Operational Directive (BOD) 23-01. While the primary audience for this document is Federal Civilian Executive Branch (FCEB) agencies, other entities may find the content useful. At a minimum, CISA expects FCEB agencies to meet or exceed the guidance in this document. The guidance seeks to answer the most common questions asked by federal agencies. CISA will update this document with commonly asked questions and as new information becomes available.

Resources and Contact Information

General information, assistance, and reporting – cyberdirectives@cisa.dhs.gov.