The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) that directs federal agencies in the country to keep track of assets and vulnerabilities in their networks six months from now.
To this end, Federal Civilian Executive Branch (FCEB) enterprises have been tasked with two sets of activities: asset discovery and vulnerability enumeration, which are seen as essential steps to gain “greater visibility into the risks facing civilian networks federal”.
This includes performing automated discovery of assets every seven days and beginning to count vulnerabilities in those discovered assets every 14 days until April 3, 2023, in addition to having the capabilities to do so on demand within 72 hours of receiving a request from CISA.
Similar baseline vulnerability count obligations are also in place for Android and iOS devices, as well as other devices that reside outside of the agency’s on-premises networks.
“Doing so will ensure asset management and vulnerability detection practices strengthen their organization’s cyber resilience,” CISA said, adding that it will help close gaps in the attack surface.
The purpose of BOD 23-01, he said, is to maintain an up-to-date inventory of networked assets, identify software vulnerabilities, track an agency’s asset coverage and vulnerability signatures, and share that information. CISA at specified intervals.
“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit vulnerabilities within unknown, unprotected or underprotected assets,” CISA Director Jen Easterly said in a statement. “Knowing what’s on your network is the first step for any organization to reduce risk.”
While the directive is a mandate for federal civilian agencies, CISA is also requiring all businesses, including private entities and state governments, to review and implement rigorous asset and vulnerability management programs.
