Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01, which focuses on "Improving Asset Visibility and Vulnerability Detection" on Federal Networks. The directive sets baseline requirements for federal civilian executive branch (FCEB) agencies, mandating them to better account for what resides on their networks. As CISA director Jen Easterly explained, "Threat actors continue to target our nation's critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets… Knowing what's on your network is the first step for any organization to reduce risk".
The directive focuses on two critical aspects of cybersecurity posture. The first is Asset Discovery, the activity "through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses."
The second aspect is Vulnerability Enumeration, which identifies and reports suspected vulnerabilities on those assets. It also attempts to identify outdated software versions, missing updates, and misconfigurations". The process should then match findings with information on known vulnerabilities to map an asset's vulnerability posture.
CISA's directive is mandatory for all Federal Civilian Executive Branch (FCEB) agencies, such as the Department of Justice and the Department of State (for the list of affected agencies, see here). The directive also applies to any entity or enterprise acting on behalf of an FCEB agency that "collects, processes, stores, transmits, disseminates, or otherwise maintains agency information." Among the requirements set by the directive, effective April 3, 2023, all FCEB agencies are ordered to implement the following actions:
- Perform automated asset discovery every seven days.
- Initiate vulnerability enumeration across all discovered assets every 14 days.
- Send their vulnerability enumeration results (i.e., detected vulnerabilities) to the CDM (Continuous Diagnostics and Mitigation) Agency dashboard within 72 hours of discovery completion.
Should I care if I am not a federal civilian executive branch agency?
Although BOD 23-01 is mandatory only for FCEB agencies, CISA recommends that all organizations review this directive and adopt its guidance to strengthen asset management and vulnerability detection practices within their networks - and enhance their organization's cyber resilience.
Are the requirements described in the new directive enough to secure my cyber resilience?
The standards outlined in BOD 23-01 constitute the baseline, basic minimum requirements for developing a robust and comprehensive cybersecurity program. However, CISA clearly states that these requirements "are not sufficient for comprehensive, modern cyber defense operations," explaining that the directive signifies the first step "to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities."
The growing volume of digital assets, rapidly expanding attack surface, and the concurrent evolution of cyber threats from nation-states and the cybercriminal underground have contributed to an escalation in the number of cyber incidents in the last 12 months. CISA has been taking several steps to address the growing challenges faced by enterprises as they endeavor to build an efficient and effective cybersecurity program to counter these concerning trends.
For example, earlier this year, CISA issued Binding Operational Directive (BOD) 22-01, aimed at driving urgent and prioritized remediation of vulnerabilities exploited by adversaries. The directive established a CISA-managed library of known exploited CVEs which carry a significant risk to the federal enterprise. It also requires federal and government agencies to remediate any new vulnerabilities included in this library in a short timeframe, sometimes as fast as only two weeks.
CISA's directives and advisories establish the basic framework for enterprises (private, public, and federal) to build their vulnerability management program and strengthen their cybersecurity posture. However, CISA's requirements outline only the first foundational components within a practical, proactive approach to prioritize and defend against emerging threats. By combining the directive's tenets of asset discovery and vulnerability detection with context-rich vulnerability exploit intelligence and accurate assessments of risk & urgency, organizations will be best equipped to prioritize and defend against vulnerability exposures.
How Cybersixgill can help you meet the directive's requirements and build a resilient vulnerability management program
Cybersixgill's Dynamic Vulnerability Exploit (DVE) Intelligence provides an end-to-end solution to support every stage of the threat exposure lifecycle. The technology is capable of asset inventory provisioning, automated CPE-CVE matching, MITRE ATT&CK framework mapping, context enrichment, dynamic risk scores, and interlinked remediation information. In addition, DVE Intelligence aligns with the critical requirements of CISA's binding operational directive, empowering federal agencies to achieve compliance with a single, consolidated solution.
DVE Intelligence helps you meet the directive's requirements through the following functions.
Automatic & manual scoping of the organizational attack surface:
- We enable customers to effectively discover and manage their digital assets, supporting both manual input of asset inventories and an automatic provision through integrations with internal and external attack surface scanning tools. Our technology allows customers to efficiently identify and scope the specific assets, CPEs, and CVEs that pose the most significant risk to their organization.
Continuous CPE-CVE matching to provide holistic visibility into organizational threat exposure vis-a-vis discovered vulnerabilities & assets:
- We continuously match your discovered organizational assets and specific product versions (CPEs) to discovered vulnerabilities (CVEs), identifying exposed assets in your environment and alerting teams to the particular CVEs that directly expose your systems to attack. DVE aggregates CPE data from multiple sources, automating the CPE to CVE matching process with high-fidelity data to deliver the most accurate results.
Rich contextual insight into threats targeting your organization
We continuously monitor your discovered assets, alerting you to mentions by cybercriminal threat actors across the deep, dark and straightforward web. Additionally, DVE provides customers unrestricted access to our complete body of collected intelligence relating to each CVE, enriched with critical contextual insights into the nature, source, and urgency of each threat - by which threat actor, on which site, and when.
Identification and prioritization of the vulnerabilities posing the most significant risk to your organization
DVE is powered by the largest and most comprehensive collection of threat intelligence from the deep, dark and clear web, enriching each CVE with critical context and unparalleled insight into the adversarial mindset. Through advanced AI analysis of underground cybercriminal discourse attributed to each CVE, DVE extracts vital intel reflecting threat actors' intent, automatically mapping the vulnerability to adversary tactics and techniques defined in the MITRE ATT&CK framework with advanced precision. With this rich vulnerability & exploit intelligence, DVE's scoring engine predicts the likelihood of vulnerability exploitation over the next 90 days, empowering customers to confidently assess risk and prioritize vulnerability treatment in order of urgency in light of real-time threat intelligence.
By using Cybersixgill, organizations can continuously discover their assets to attain an updated and accurate asset inventory enriched with business context, understand how exposed their assets are, and prioritize patching the correct vulnerabilities instead of focusing on vulnerabilities that don't matter. DVE's real-time exposure and exploit intelligence are mined from the cybercriminal underground. As a result, it generates the most accurate assessment of exploitation probability, urgency, and impact. And it equips your team with the critical insight you need to focus your efforts on identifying and prioritizing the vulnerabilities that pose the most significant risks to your organization - before they can be exploited in an attack.