BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces.
A Binding Operational Directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. 44 U.S.C. § 3552(b)(1). Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of Binding Operational Directives. Federal agencies are required to comply with these Directives. 44 U.S.C. § 3554(a)(1)(B)(ii). These Directives do not apply to statutorily defined “national security systems” or to certain systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(b), (d), (e)(2), (e)(3). This Directive refers to the systems to which it applies as “Federal Civilian Executive Branch” systems, and to agencies operating those systems as “Federal Civilian Executive Branch” agencies.
Background
As agencies and organizations have gained better visibility of their networks and improved endpoint detection and response, threat actors have adjusted tactics to evade these protections by targeting network devices supporting the underlying network infrastructure. Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices.
Threat actors have used certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
This Directive requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.
Scope
For the purposes of this Directive, a “networked management interface” is defined as a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself.
The requirements in this Directive apply only to devices meeting BOTH of the following criteria:
- Devices residing on or supporting federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC).
- Devices for which the management interfaces are using network protocols for remote management over public internet, including, but not limited to: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Teletype Network (Telnet), Trivial File Transfer Protocol (TFTP), Remote Desktop Protocol (RDP), Remote Login (rlogin), Remote Shell (RSH), Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and X11 (X Window System).
This Directive does NOT apply to web applications and interfaces used for managing Cloud Service Provider (CSP) offerings including but not limited to, Application Programming Interfaces (APIs) or management portals.
Zero Trust Architecture
Zero Trust provides a collection of concepts and approaches designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services, recognizing that all networks must be viewed as potentially compromised. Zero Trust Architecture is an enterprise approach to design and implement component relationships, workflow planning, and access policies around Zero Trust concepts.
For the purposes of this Directive, as outlined in the required actions section below, networked management interfaces are allowed to remain accessible from the internet on networks where agencies employ capabilities to mediate all access to the interface in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA's Zero Trust Maturity Model.
Required Actions
All federal civilian executive-branch agencies are required to comply with the following actions for all federal information systems hosted by agencies or third parties on their behalf.
- Within 14 days of notification by CISA or discovery by an agency of a networked management interface in scope for this Directive, agencies will take at least one of the following actions:
- Remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
- Deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).
- Agencies will implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices, identified as in scope for this Directive, have at least one of the following protections in place:
- The interface is removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network);
- The interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).
CISA Actions
- CISA will scan for devices and interfaces in scope of this Directive and notify agencies of all findings.
- CISA will provide federal agencies a reporting interface and standard remediation plan templates if remediation efforts exceed required timeframes.
- CISA will engage agencies to review status and provide technical expertise for hardening specific devices, as requested and as appropriate.
- CISA will engage Agency CIOs, CISOs, and SAORMs throughout the escalation process, if necessary.
- Within 2 years following the issuance of this Directive, CISA will review and update this Directive as needed to reflect changes in the general cybersecurity landscape and will revise guidance to help agencies better identify, track, and report the networked management interfaces they operate.
- CISA will provide additional guidance to agencies via the CISA website, through updates to this Directive, and through individual engagements upon request (via CyberDirectives@cisa.dhs.gov).
- Within 6 months of issuance and yearly thereafter, CISA will submit a report on the status of Federal Civilian Executive Branch (FCEB), pertaining to their compliance with this Directive, to the Secretary of DHS and the Director of OMB.
Implementation Guidance
Binding Operational Directive 23-02 Implementation Guidance assists federal agencies with implementation of the Directive requirements. While the primary audience for this document is FCEB agencies, other entities may find the content useful. At a minimum, CISA expects FCEB agencies to meet or exceed the guidance in this document. The guidance seeks to answer the most common questions asked by federal agencies. CISA will update this document with commonly asked questions and as new information becomes available.
Resources and Contact Information
General information, assistance, and reporting – CyberDirectives@cisa.dhs.gov.