How Tenable Helps Federal Agencies Meet CISA’s Binding Operational Directive 23-01
Here's how to leverage Tenable solutions to achieve compliance with BOD 23-01 from the Cybersecurity and Infrastructure Security Agency (CISA).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released Binding Operational Directive (BOD) 23-01. A BOD is a compulsory direction to U.S. federal, executive branch departments and agencies for purposes of safeguarding federal information and information systems. U.S. federal agencies are required to comply with these directives.
BOD 23-01 mandates continuous and comprehensive asset visibility, focusing on two core activities that are essential to maintaining a successful cybersecurity program:
- Asset discovery
- Vulnerability enumeration
According to BOD 23-01, "Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise."
This directive applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. It builds on BOD 22-01 and outlines new requirements for cloud assets, IPV6 address space, and operational technology (OT) in an effort to reduce cyber risk.
Asset discovery and vulnerability enumeration
If you don't know an asset exists, you can't scan it for vulnerabilities. The BOD states: "Asset discovery is a building block of operational visibility." Specifically, the BOD defines asset discovery as "the process of checking an IPv4 or IPv6 network for active and inactive hosts (e.g., networked assets) by using a variety of methods."
The most common discovery methods are:
- Active scanning to communicate with all IP addresses
- Passive scanning to monitor traffic and detect activity from any new assets
- External attack surface management for internet-facing asset identification
Once assets are discovered, vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. Potential vulnerabilities often arise from outdated software versions, missing updates and misconfigurations. To fully understand the vulnerability posture of an asset, agencies should utilize network-based credentialed scans or install a client on the host endpoint.
To meet citizens' needs, federal agencies are embracing digital technologies, including mobile, internet of things (IoT) and cloud, trends that increase the number and variety of asset types in their environments. To combat new threats and the expanding attack surface, a flurry of new solutions have emerged causing an evolution in vulnerability assessment capabilities, frequency and depth.
To provide additional visibility into the variety of assets that make up the modern attack surface and help agencies understand the full scope of their cybersecurity risk, BOD 23-01 adds non-ephemeral cloud assets, IPV6 address space and operational technology to the list of asset types needing to be addressed. These additions cover devices that traditionally have been vulnerable points and have represented potential soft targets that could be leveraged in an attack.
How Tenable helps agencies address CISA BOD 23-01 requirements
Tenable is positioned to help give U.S. federal agencies comprehensive visibility into the assets and vulnerabilities across their organization, including new BOD 23-01 requirements. Specifically, Tenable capabilities provide visibility into:
- External unknowns. As more assets, services and applications become connected to the internet, security teams are often unaware of their complete external footprint. Tenable.asm is an external attack surface management solution that continuously maps the entire internet and discovers connections to internet-facing assets, a critical step in securing assets that were previously unknown to cybersecurity. Agencies can utilize that information to assess the security posture of the entire external attack surface.
- Cloud workloads and resources. Tenable.cs provides cloud security posture management and assessment of cloud assets through frictionless assessment and Tenable.io cloud connectors. Agencies can automatically assess the configuration of cloud virtual machine stances without having to deploy additional software or scanners.
- Operational technology. Enumerating OT assets and critical infrastructure and vulnerabilities brings unique challenges to federal agencies. In contrast to the IT environment, where patching, upgrading and replacing systems is the norm, an OT environment typically requires working with legacy technologies, some of which pre-date the internet era. Tenable.ot supports a breadth of OT vendors, offering a detailed view of OT and IT assets in the OT environment, maps the connections between the devices and helps identify high risk assets so agencies can prioritize their remediation efforts.
- Network infrastructure and endpoints. Federal agencies often struggle to discover vulnerabilities on assets not supported by agents or on assets where agents don't play a part. With Tenable.sc+ and FedRAMP-authorized Tenable.io, Tenable is uniquely positioned to ensure federal agencies get a comprehensive analysis of their assets by using credentialed scans, network- or agent-based assessments, and passive vulnerability enumeration. This ensures all assets are scanned and analyzed, including sensitive devices that are challenging to create policies for or are difficult to harden. Tenable's comprehensive asset discovery capabilities (including the ability to run credentialed scans on all devices) will also help you address requirements in BOD 22-01 to find and fix known exploited vulnerabilities.
- Web applications. Web applications are often the gatekeepers to a wealth of citizen and government data, making web application security a top priority. However, modern web frameworks and components inhibit traditional vulnerability assessment techniques. FedRAMP-authorized Tenable.io Web Application Scanning is designed to gain full visibility into modern web apps. These capabilities ensure agencies understand the page structure and layout of web applications and provide security teams with a full analysis to discover not only the OWASP Top 10 vulnerabilities, but also component vulnerabilities, deeper dives into injections and scripting, and in-depth informational details.
- Identity systems. As agencies move towards a Zero Trust Architecture and take a "trust no one" approach to security, the security of your underlying identity system itself comes into play. To ensure your identity system is secure, Tenable.ad allows you to identify everything in your complex AD environment, predict what matters to reduce risk and eliminate attack paths before attackers exploit them.
Tenable has recently introduced the Tenable One Exposure Management Platform, which can help agencies gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal agency performance. Tenable One includes many of the Tenable solutions described above and allows agencies to translate technical asset, vulnerability and threat data into clear business insights and actionable intelligence for security executives and practitioners.
Find out how Tenable can help protect your agency against cyberattacks— and ensure you have full visibility to all vulnerabilities across your agency — all while demonstrating compliance with diverse regulations, standards and directives.
- Public Policy
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.