Press Release

CISA Directs Federal Agencies to Secure Internet-Exposed Management Interfaces

Released

Directive Establishes Core Security Actions to Reduce Cyber Risk to Federal Civilian Enterprise

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices. As part of CISA and the broad U.S. government's effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.

“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise,” said CISA Director Jen Easterly. “Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the federal civilian enterprise. While this Directive only applies to federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

The new Directive can be found at Binding Operational Directive (BOD) 23-02.

 

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on TwitterFacebookLinkedIn, Instagram