Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. BOD 16-02: Threat to Network Infrastructure Devices
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Binding Operational Directives

BOD 16-02: Threat to Network Infrastructure Devices

September 27, 2016
Related topics:
Cybersecurity Best Practices

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-02, “Threat to Network Infrastructure Devices”, and provides technical guidance to assist in its implementation.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

For several years, network infrastructure devices have been the attack-vector of choice for sophisticated hackers and advanced threat actors. The DHS/National Cybersecurity and Communications Integration Center (NCCIC) expects this trend to continue. Network infrastructure devices are the devices that transport the communications required for the data, applications, services, and multimedia that your agencies rely upon each and every day to fulfill their mission. As the security of desktop and laptop computers and servers have improved, based on our collective efforts to improve federal cybersecurity, our adversaries are adjusting their tactics, techniques, and procedures and have begun targeting network infrastructure devices.

Three particularly urgent issues require immediate attention across all impacted Federal agencies: hacking tools targeting firewalls, Cisco Adaptive Security Appliance, and Cisco ROM Monitor Integrity. If not addressed, impacts may include denial-of-service attacks, data theft, and the altering of data, all of which can be accomplished much more effectively and in a more subtle and targeted manner from compromised network infrastructure, and can impede workforce productivity and the ability to execute your agency’s mission.

We have witnessed our adversaries attempting to take advantage of these vulnerabilities to exploit Federal agency networks. We anticipate that our adversaries will continue to try to take advantage of these vulnerabilities, as well as vulnerabilities we have yet to identify. To help combat this exigent threat, and to adapt to the threat environment your agencies’ should expect to face moving forward, my Department has provided a series of mitigation steps and best practices to ensure your agency is as protected as possible. The NCCIC has published an Analysis Report AR-16-20173 and associated Technical Annexes, which addresses all three of these issues. The NCCIC has also deployed signatures in the EINSTEIN system to detect suspicious activity related to these exploitation tools and vulnerabilities, to help protect the Federal civilian executive branch. The NCCIC will continue to analyze information for additional mitigation steps to protect our Federal networks and will develop Technical Annexes in the future under this directive as necessary.

Regardless of their generic common vulnerability score, the vulnerabilities identified in AR-16-20173 and associated Technical Annexes are now deemed critical for purposes of Binding Operational Directive 15-01 (issued May 2015). When these vulnerabilities are found on external-facing systems they will also be flagged in each agency's BOD 15-01 scorecard report.

Required Actions

  • Perform all actions in the “Solution” sections of the “Technical Annexes” to the NCCIC Analysis Report AR-16-20173 no later than 45 days after issuance of this Directive.1

  • Report to DHS, through the OMB MAX Connect Portal, either full mitigation or provide a detailed plan of action and milestones explaining the constraints preventing mitigation and the associated compensating controls established no later than 45 days after issuance of this Directive.

  • Provide additional reports or plans of action and milestones every 30 days thereafter until full mitigation is achieved.

Progress Tracking

If an agency does not comply with the requirements of this directive, DHS will follow up with each Deputy Secretary or equivalent, as appropriate.

  1. Agencies must comply with the deadline timeframe referenced in the “Required Actions” of this directive for any future Technical Annexes of NCCIC Analysis Report AR-16-20173, triggered on the date of issuance of each additional Technical Annex. 

Tags

Topics: Cybersecurity Best Practices

Related Directives

Dec 17, 2024

BOD 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services

Dec 17, 2024

BOD 25-01: Implementing Secure Practices for Cloud Services

Jun 13, 2023

BOD 23-02: Implementation Guidance for Mitigating the Risk from Internet-Exposed Management Interfaces

Jun 13, 2023

BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback