Threat Watch

CISA Issues New Binding Operational Directive Requiring Asset and Vulnerability Management for Federal Entities

On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-01 (BOD 23-10), which requires Federal Civilian Executive Branch (FCEB) entities to maintain an inventory of all IPv4- and IPv6-networked assets, perform regular, periodic scans of these devices, and provide this information to CISA. The agency takes extra steps to allow for flexibility of means of accomplishing these tasks, and instead lists asset discovery and vulnerability enumeration as the primary goals, leaving it up to the individual organizations to develop and implement a plan to meet the standard. The target date for FCEB entities to meet the BOD is 3 April 2023, which specifies that vulnerability enumeration tasks should be initiated every 14 days and includes collection of metrics for analyzing the effectiveness of the chosen course of action.


CISA’s directives are usually a good lodestone for what companies should be doing to build and maintain a high degree of operational maturity. This is no less true with BOD 23-01: asset discovery identifies what an organization is protecting, and vulnerability enumeration establishes how an organization can work to further protect its assets. Companies can use tools that automatically scan for changes to devices on the physical network and perform periodic vulnerability scans, and those tools can be the same product. It can also be useful to manually scan the entire private IP space occasionally to identify undocumented subnets or rogue devices, though scans of that magnitude can be lengthy and resource intensive.

Beyond this, companies can elevate the effectiveness of this data by maintaining a database of the assets and vulnerabilities that can be queried by other IT products. For example, many ticketing systems support asset management natively, and can be managed via Application Programming Interface (API) calls, which can feed useful data into tickets. Change control platforms could also use the data by automatically generating a list of devices that require a remediation to a vulnerability and tracking the deployment and success rate of the remediation.