CISA issues Binding Operational Directive 23-01.

CISA opened the US Federal Fiscal Year with Binding Operational Directive 23-01, "Improving Asset Visibility and Vulnerability Detection on Federal Networks." The Directive specifies desired outcomes for asset visibility and vulnerability detection without prescribing the steps Federal Executive Civilian Agencies need to take to comply.

Deadlines for asset discovery and vulnerability tracking.

The key compliance deadline is April 3, 2023, by which time the organizations falling under CISA’s tutelage will be expected to:

• First, “Perform automated asset discovery every 7 days.”
• Second, “Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” There’s some wiggle room here for larger, more complex organizations, and CISA recognizes that it might not be possible to get to full vulnerability in two weeks. Nonetheless, CISA says that “Enumeration processes should still be initiated at regular intervals to ensure all systems within the enterprise are scanned on a regular cadence within this window.”
• Third, “Within 6 months of CISA publishing requirements for vulnerability enumeration performance data, all FCEB agencies are required to initiate the collection and reporting of vulnerability enumeration performance data, as relevant to this directive, to the CDM Dashboard.” These data are of interest to CISA as a means of automating its oversight and monitoring of agencies’ scanning performance.
• And, fourth, “By April 3, 2023, agencies and CISA, through the CDM program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in the Executive Order on Improving the Nation’s Cybersecurity.”

Reporting in the context of a mission order.

Regular reporting will kick in at six-, twelve-, and eighteen-month intervals.

Again, it’s CISA’s intention that the Directive be understood as a mission order, that there are many ways agencies can comply, and the precise methods and procedures they choose are largely up to them.

Industry reaction to Binding Operational Directive 23-01.

We heard from several industry leaders who offered their perspective on BOD 23-01. Liran Tancman, CEO and co-founder of Rezilion, thinks implementation will require some critical self-reflection on the part of the affected agencies.

"It will require a critical look at current tools and strategies and, in many agencies and organizations, an investment in dollars to update technology and processes. Agencies need the right tools for vulnerability detection and prioritization, and they need automated technology for remediation of those vulnerabilities so that they can be focused on more mission-critical objectives. Critical infrastructure in particular often operates with older, legacy technologies that cannot properly defend against modern day threats. With tight budgets, federal agencies and critical infrastructure organizations will need to do some reevaluation of where their time and dollars are allocated if they want to truly be able to manage risk today.

"Going back to my comment about legacy technology, government agencies and critical infrastructure organizations are often behind when it comes to the tools they are using. But this establishes baseline requirements for agencies to use in identifying assets and vulnerabilities, and in order to accomplish that these types of organizations will need to invest in creating and using a Software Bill of Materials (SBOM) with dynamic capabilities so that they can see real-time changes in their assets. And they need to combine the SBOM and VEX and get the actual risk present in their environment. VEX is a machine-readable artifact that tells you which vulnerable components in an environment are actually exploitable. The objective of the VEX is to provide information for organizations to use and prioritize their remediation efforts. This contextualization is provided by the software vendor with a machine-readable artifact with justification values of why a particular component is not affected by a specific vulnerability and therefore not exploitable. Organizations should use a Dynamic SBOM that combines a real-time SBOM and the VEX."

Danielle Jablanski, a nonresident fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab (DFRLab) and an OT cybersecurity strategist at Nozomi Networks, thinks the Directive will contribute to helping the Feds "walk the walk" on resilience:

"There is a constant drumbeat of industry experts reflecting on government guidance, standards, and recommendations for cybersecurity that stipulates the federal government must do more to walk the walk on building resilience within federal systems and federal technologies before mandating industries to do better. This directive is a step in exactly that direction.

"Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be both opportunistic, highly tailored, or a mixture of both.

"The directive is crucial for two reasons. First, if network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality.

"Second, vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.

"The highly anticipated CISA cross-sector cyber performance goals (CPGs) are another step in the right direction, to help owners and operators of critical infrastructure prioritize and implement the NIST cyber security framework.

"It will also provide a benchmark or starting point for industry to self-evaluate their own cybersecurity practices and program maturity, prioritizing based on technology scope, costs, impact, and complexity."

Ron Brash, VP Technical Research & Integrations at aDolus, wants to state the obvious, which is probably wise, given the human propensity to ignore exactly what's in front our face:

"This is stating the obvious, but the #1 resource that civilian agencies will need to be able to comply with the CISA directive is a solid deployment plan and enough staff (or contractors) to enact that plan. Assuming that is in place (a big assumption), the agencies will need to purchase and deploy the tools that can perform regular automated asset discovery scans and interpret the results from these scans. The initial effort to do this is never trivial, as building an accurate IT asset list almost always requires a lot of gumshoeing to correlate the results reported by the tools with what is actually in place. That said, it is a worthwhile endeavor as if you don’t know what you are actually trying to protect, it is hard to protect it. Plus, once the basics are done, it is much easier to keep your assets list up to date.

"The real challenge will be the requirement to perform vulnerability scans “across all discovered assets, including all nomadic/roaming devices (e.g., laptops), every 14 days.” Again there are lots of tools available, but they tend to be focused on IT assets, not OT or IoT assets. As a result, agencies will likely run into a “Pareto Problem” — common IT assets like servers and workstations (the 80%) will be easy (20% effort), but then all the remaining non-traditional assets will take 80% of the effort. With the explosion in both OT and IoT products in the last decade, few agencies will escape this pain: think security cameras, badge readers, HVAC systems, and even soft drink machines as connected devices that will take a lot of effort to scan safely and reliably. Agencies with OT assets (such as air, water, or land monitoring and management) will have an even tougher time.

He also draws attention to the implications of the Directive for software bills-of-materials:

"This publication is a first step towards enforcing cybersecurity vigilance on connected assets. Even though software supply chain security and SBOMs are a core portion of Executive Order 14028, they are only mentioned in the background section in this guidance. In fact the Q&A section is telling: 'Q: Why does the directive reference the software bill of materials (SBOM) in the Background section but not in subsequent sections? A: SBOM is mentioned in the introduction to convey the Administration’s vision and describe our desired state in the long term. The directive focuses on very specific first steps that can be achieved within the next 6-12 months and are prerequisites for broader adoption of SBOM. Without comprehensive asset management, agencies will be unable to effectively use SBOMs to manage risk posed by asset components or libraries.'

"SBOMs will require new tools to take advantage of all the new security capabilities they offer. They are also likely to expose a tsunami of previously unknown (but dangerous) vulnerabilities that will need immediate attention by staff. Those responsible for complying with this Operational Directive are getting an early warning from CISA: “SBOMs are becoming a mandatory security requirement in the next year so get your house in order now.”