Heimdal
article featured image

Contents:

The American Cybersecurity & Infrastructure Security Agency (CISA) issued on June 13, 2023, a binding operational directive (BOD) requiring federal civilian agencies to safeguard networking equipment that is faulty or exposed to the Internet.

Federal civilian executive branch (FCEB) agencies have 14 days to solve such problems after they discover them.

Binding Operational Directive 23-02 refers to routers, firewalls, proxies, load balancers, and other networked devices with management interfaces that are exposed to the Internet. This type of equipment provides authorized users with the access they need to carry out network administration tasks.

The Directive requires federal civilian executive branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices.

CISA said

What Measures Agencies Can Take

If an agency receives a notification from CISA or discovers a problematic network device that aligns with the purpose of BOD 32-02, it has 14 days to tend to the problem.

The remediation can be done in two ways:

  • To use a policy enforcement point separate from the interface itself to implement Zero Trust measures, this way imposing access control to the interface (the recommended course of action).
  • Limit access to the internal network interface of networking hardware; CISA advises having a separate management network.

Agencies must be prepared to remove identified networked management interfaces from exposure to the internet, or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself.

Source

CISA announces scans meant to discover devices and interfaces that need to be modified. It will also provide FCEB with a special reporting interface and templates for remediation plans, in cases where the 14 days-timeframe for remediation measures is surpassed. Agencies can require help from CISA on this matter, like experts, guidance, and status verification for certain devices.

Also, CISA will send reports on the implementation of BOD 23-02 to the Director of the Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS) in six months and then once a year.

Finally, in two years CISA will update the directive to the latest cybersecurity changes. This will lead also to changes in the implementation guidance created to help agencies to determine, keep an eye on, and report on the networked management interfaces they use.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE