The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive (BOD) that directs federal agencies in the country to keep track of assets and vulnerabilities on their networks six months from now.
To that end, Federal Civilian Executive Branch (FCEB) enterprises have been tasked with two sets of activities: Asset discovery and vulnerability enumeration, which are seen as essential steps to gain “greater visibility into risks facing federal civilian networks.”
This involves carrying out automated asset discovery every seven days and initiating vulnerability enumeration across those discovered assets every 14 days by April 3, 2023, in addition to having the capabilities to do so on an on-demand basis within 72 hours of receiving a request from CISA.
Similar baseline vulnerability enumeration obligations have also been put in place for Android and iOS devices as well as other devices that reside outside of agency on-premises networks.
“Doing so will ensure asset management and vulnerability detection practices that will strengthen their organization’s cyber resilience,” CISA said, adding it will help close gaps in the attack surface.
The goal of BOD 23-01, it said, is to maintain an up-to-date inventory of networked assets, identify software vulnerabilities, track an agency’s asset coverage and vulnerability signatures, and share that information to CISA on defined intervals.