Binding Operational Directive 23-01 Implementation Guidance
IMPLEMENTATION GUIDANCE FOR CISA BINDING OPERATIONAL DIRECTIVE 23-01: IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL NETWORKS
The purpose of this document is to help federal agencies interpret and implement CISA’s Binding Operational Directive (BOD) 23-01. While the primary audience for this document is Federal Civilian Executive Branch (FCEB) agencies, other entities may find the content useful. At a minimum, CISA expects FCEB agencies to meet or exceed the guidance in this document. The guidance seeks to answer the most common questions asked by federal agencies. CISA will update this document with commonly asked questions and as new information becomes available.
Vulnerability enumeration performance data – Otherwise referred to as scanning logs, vulnerability enumeration performance data describes datapoints or measurements that provide visibility on the level of performance relative to the requirements in this directive, using automation and machine-level data (e.g., logs/events indicating successful credentialed enumeration completion, date/timestamps surrounding enumeration activities, and signature/plug-in update date/timestamps). Data requirements to satisfy this objective will be published in a common data schema and made available to every Federal agency.
Vulnerability enumeration – A technique to list host attributes (e.g., operating systems, applications, and open ports) and associated vulnerabilities. Vulnerability enumeration typically requires privileged access to gain full visibility at the application and configuration levels.
Privileged credentials – A local or network account or a process with sufficient access to enumerate system configurations and software components across an entire asset. Administrators must apply the principle of least privilege and/or separation of duties on the accounts used for vulnerability enumeration. Poisoning and machine-in-the-middle type attacks commonly target accounts with elevated privileges, including those used for vulnerability enumeration.
Roaming devices – Devices that leave an agency’s on-premises networks, connect to other private networks, and directly access the public internet.
Nomadic devices – Devices that permanently reside outside of agency networks.
Frequently Asked Questions
Q: What is the scope of this directive? Which devices specifically need to be scanned?
A: This directive applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. An IP-addressable networked asset is defined as any reportable (i.e., non-ephemeral) information technology or operational technology asset that is assigned an IPv4 or IPv6 address and accessible over IPv4 or IPv6 networks, regardless of the environment in which it operates. The scope includes, but is not limited to, servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers — whether in on-premises, roaming, or cloud-operated deployment models. The scope excludes ephemeral assets such as containers and third-party managed software as a service (SaaS) solutions.
Q: How does the pre-existing requirement to perform endpoint detection and response (EDR) differ from the requirements of this BOD? To what extent does EDR address asset visibility needs?
A: Asset visibility is a prerequisite for determining where to deploy EDR. While most EDR tools do not provide vulnerability information, the directive gives agencies the flexibility to use any tool that provides credential or client-level vulnerability information. If an agency deploys EDR tools that can provide vulnerability information, those tools can be used in place of a client-based scanner.
Q: This BOD uses the term “networked assets.” Does that imply cloud is out of scope?
A: Any non-ephemeral asset with an IP address is in scope, including applicable cloud assets. Many cloud use cases are unique. Many agencies have SaaS instances where agencies are unable to run their own scans. In the case of traditional data center collocations, infrastructure as a service (IaaS), and in some cases platform as a service (PaaS), all assets with an IP address are in scope. The scope excludes ephemeral assets such as containers and third-party managed SaaS solutions.
Q: Why does the directive say “initiate scans” instead of “execute” or “complete scans”?
A: Sometimes, especially in large enterprises, vulnerability scans may not be complete within the 14-day timeframe required in the BOD. To overcome this issue, BOD 23-01 requires agencies to initiate a new scan every 14 days regardless of whether the previous scan has completed. Agencies are also required to feed available results for the previous scan three days after the new scan is initiated, even when the previous scan is not fully complete.
Q: What is the difference between “asset management” and “asset discovery”?
A: Asset management and asset discovery are two distinct activities that frequently go hand in hand. Asset management is the active monitoring and administration of endpoints using a centralized solution, such as unified endpoint management (UEM), mobile device management (MDM), or enterprise mobility management (EMM). Inventories from asset management solutions may be used to feed the information about agency assets into the results of a comprehensive asset discovery effort.
Asset discovery is the process of checking an IPv4 or IPv6 network for active and inactive hosts (e.g., networked assets) by using a variety of methods. The most common discovery methods include actively trying to communicate with all IP addresses in a range using a scan tool such as “nmap” (which is only feasible on smaller IPv4 based networks), or by passively monitoring traffic on the wire to detect activity from any new assets.
Asset discovery helps organizations find unmanaged assets that are present on the network to ensure they are brought under appropriate management. It also helps organizations identify networked devices, such as Internet of Things (IoT), that cannot be centrally managed. It is possible for an asset to fall off the management tool due to inactivity or other reasons, requiring it to be rediscovered.
Q: We offer public wireless access in conference rooms and lobbies. Are guest networks in scope?
A: Guest hosts are not in scope, provided the guest networks are physically segmented from agency networks.
Q: Are bring-your-own-device (BYOD) assets in scope?
A: Most federal agencies do not allow BYOD on enterprise networks. If they do, then BYOD devices are in scope. This does not apply to personally owned equipment that connects to federal networks via web interface (e.g., website visitors or remote users connecting via SSL remote access solutions).
Q: Are air-gapped networks in scope? It may not be possible to transfer a signature to air-gapped networks within 24 hours.
A: Many logically isolated networks and systems are incorrectly considered air-gapped. Any device, system, or network that is directly connected to the operating environment, or is connected to another system that is connected to the operating environment, is not considered air-gapped and is in scope for BOD 23-01. Only systems that are truly physically air-gapped are out of scope.
Q: Does the BOD include requirements for scanning software and configuration enumerations?
A: No, the BOD requirements address only basic (IP) asset discovery and vulnerability enumeration. The current BOD does not address hardware management, software management, or configuration management and associated controls. Note that some vulnerabilities due to misconfigurations and basic configurations may be captured by standard vulnerability scanners.
Q: Which cloud assets are in scope?
A: Agencies are responsible for the discovery and enumeration of networked assets under agency control, such as assets in authority-to-operate (ATO) inventories. Each cloud instance is unique, but in general, third-party hosting solutions where agencies still control physical or virtual hosts, such as infrastructure as a service, are within the scope of this directive.
Q: Are communications devices, such as IP telephony, VOIP phones, cameras, and unified communications peripherals in scope?
A: Yes, these devices are in scope. Adversaries have specifically targeted these devices as they are typically more difficult to harden.
For general information, assistance, and reporting, please contact firstname.lastname@example.org.