Do you know what IT devices are in your business or on your network right now? If not, it’s not just cybercriminals that might be knocking on your door very soon, but the White House.
Binding Operational Directive 23-01, or BOD 23-01, is a new directive from the U.S. Cybersecurity and Infrastructure Security Agency. CISA has issued a Binding Operational Directive (BOD) that orders federal agencies in the country to keep track of their IT assets and any vulnerabilities on their networks.
The guidance aims to shake up the way devices are tracked, managed, and protected against unauthorized access and attacks like Ransomware. Because if IT teams and organizations don’t know what devices are under their roof, then what chance do they stand in protecting them?
What is the new directive?
The wide-ranging cybersecurity directive orders all U.S. Federal Civilian Executive Branch (FCEB) agencies to create a complete and accurate inventory of all of their software assets.
The new directive is trying to prevent situations such as the 2020 SolarWinds scandal, where several government agencies and organizations were compromised by malicious code injected into the software system.
But it also wants to put more accountability on federal civilian agencies for their own devices and what resides on their networks, as well as hold more responsibility in the case that a cyber breach or attack takes place.
And although the directive only covers federal civilian agencies in the U.S., the CISA also urged the private sector and state governments to review and implement similar asset and vulnerability practices. It’s hard to think of a reason why it shouldn’t also be rolled out to all businesses, not just those in the U.S.
For several years, the CISA has been working to gain greater visibility into risks facing federal civilian networks. It may now finally have made some progress.
What issues is it trying to address?
Threat actors continue to target critical infrastructure, networks, and devices to exploit weaknesses within unknown, unprotected, or under-protected assets. Previous and even current methods to prevent this from happening have provided varying levels of success, hence the need for another layer of protection.
At a basic level, businesses still aren’t tracking the devices and software underneath their own roof, with around one in three IT teams saying they don’t actively track the software used by employees within the business.
The hope with the new directive is that, at a minimum, agencies and government departments have access to an up-to-date inventory of assets. You can’t protect what you can’t see, so by providing this visibility we’re already one step ahead of the game.
But that alone won’t solve the issue altogether, as there’s no point seeing what’s under threat if you can’t prevent an attack from happening in the first place or at least stop it from becoming mission-critical.
93 percent of companies are vulnerable to external attackers breaching their network perimeters and gaining access to sensitive data. By improving on current IT asset management strategies to be able to identify vulnerabilities, track vulnerability signatures, and share that information with the relevant parties, we can help protect information from getting into the wrong hands.
What does it mean for IT teams?
The attack surface — the points of entry and vulnerabilities that serve as attack vectors — is expanding rapidly. New technologies, recent changes to implement remote and hybrid workplaces, and bring your own device (BYOD) gaining momentum again is threatening to overpower IT teams.