Source: heimdalsecurity.com – Author: Andreea Chebac
The American Cybersecurity & Infrastructure Security Agency (CISA) issued on June 13, 2023, a binding operational directive (BOD) requiring federal civilian agencies to safeguard networking equipment that is faulty or exposed to the Internet.
Federal civilian executive branch (FCEB) agencies have 14 days to solve such problems after they discover them.
Binding Operational Directive 23-02 refers to routers, firewalls, proxies, load balancers, and other networked devices with management interfaces that are exposed to the Internet. This type of equipment provides authorized users with the access they need to carry out network administration tasks.
The Directive requires federal civilian executive branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices.
What Measures Agencies Can Take
If an agency receives a notification from CISA or discovers a problematic network device that aligns with the purpose of BOD 32-02, it has 14 days to tend to the problem.
The remediation can be done in two ways:
- To use a policy enforcement point separate from the interface itself to implement Zero Trust measures, this way imposing access control to the interface (the recommended course of action).
- Limit access to the internal network interface of networking hardware; CISA advises having a separate management network.
Agencies must be prepared to remove identified networked management interfaces from exposure to the internet, or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself.
CISA announces scans meant to discover devices and interfaces that need to be modified. It will also provide FCEB with a special reporting interface and templates for remediation plans, in cases where the 14 days-timeframe for remediation measures is surpassed. Agencies can require help from CISA on this matter, like experts, guidance, and status verification for certain devices.
We issued Binding Operational Directive 23-02 that requires federal agencies to secure internet-exposed management interfaces intended to further reduce the attack surface of government networks. Learn more: https://t.co/kbyNrKR3pr pic.twitter.com/gzRjvGDZI9
— Cybersecurity and Infrastructure Security Agency (@CISAgov) June 13, 2023
Also, CISA will send reports on the implementation of BOD 23-02 to the Director of the Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS) in six months and then once a year.
Finally, in two years CISA will update the directive to the latest cybersecurity changes. This will lead also to changes in the implementation guidance created to help agencies to determine, keep an eye on, and report on the networked management interfaces they use.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/agencies-are-compelled-to-secure-all-internet-exposed-equipment-by-cisa-orders/
Category & Tags: Cybersecurity News – Cybersecurity News
