CISA’s directives are usually a good lodestone for what companies should be doing to build and maintain a high degree of operational maturity. This is no less true with BOD 23-01: asset discovery identifies what an organization is protecting, and vulnerability enumeration establishes how an organization can work to further protect its assets. Companies can use tools that automatically scan for changes to devices on the physical network and perform periodic vulnerability scans, and those tools can be the same product. It can also be useful to manually scan the entire private IP space occasionally to identify undocumented subnets or rogue devices, though scans of that magnitude can be lengthy and resource intensive.

Beyond this, companies can elevate the effectiveness of this data by maintaining a database of the assets and vulnerabilities that can be queried by other IT products. For example, many ticketing systems support asset management natively, and can be managed via Application Programming Interface (API) calls, which can feed useful data into tickets. Change control platforms could also use the data by automatically generating a list of devices that require a remediation to a vulnerability and tracking the deployment and success rate of the remediation.

https://www.cisa.gov/uscert/ncas/current-activity/2022/10/03/cisa-issues-binding-operational-directive-23-01-improving-asset