The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Binding Operational Directive (BOD) aimed at improving Federal Civilian Executive Branch (FCEB) agencies’ awareness of security vulnerabilities that may reside in their IT estates.
The BOD details its goals for building a sophisticated cyber defense in federal information systems. The guidelines further the US' sustained efforts in limiting federal agencies’ exposure to cyber attacks.
A catalog of Known Exploited Vulnerabilities (KEVs) that CISA began compiling back in November 2021 has been consistently updated and mandates FCEB agencies patch against a list of the most-exploited security vulnerabilities.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
“Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk,” the agency said in a public-facing notice.
“Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cyber security for the FCEB enterprise.”
By April 3 2023, CISA will require all FCEB agencies to adhere to a number of mandatory cyber security practises such as initiating automated asset discovery every seven days, performing vulnerability enumeration across all discovered assets every 14 days, and uploading vulnerability enumeration results into the continuous diagnostics and mitigation (CDM) agency dashboard within 72 hours of discovery.
Agencies will also be required to initiate on-demand asset discovery and vulnerability enumeration within 72 hours of receiving a CISA request, providing available results within seven days.
The requirements do not apply to statutory national security systems, including certain systems operated by the Department of Defense or the intelligence community.
Per the White House cyber security executive order, federal agencies and CISA will deploy an updated CDM dashboard configuration that will enable analysts to access object-level vulnerability enumeration data by April 3 2023.
Underscoring CISA’s actions, the BOD stated that “within six months of issuance, the agency will publish data requirements for agencies to provide machine-level vulnerability enumeration performance data in a common data schema.”
FCEB agencies will be required to make a progress report at six, 12, and 18-month intervals detailing any dependencies that may prevent them from meeting the Directive's requirements.
