CISA issued the first Binding Operational Directive (BOD) this year directing federal civilian agencies to secure misconfigured or Internet-exposed network equipment within 14 days of discovery.

cybersecurity agency Binding Operational Directive 23-02 applies to networked devices with Internet-facing management interfaces (e.g., routers, firewalls, proxies, and load balancers) that grant authorized users the access necessary to perform network administrative tasks.

“The directive requires Federal Civilian Executive Branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces on certain device classes,” CISA said.

“Agencies should be prepared to remove identified networked management interfaces from exposure to the Internet, or protect them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself. “, said the agency. added.

As noted in BOD 23-02, federal agencies have 14 days from receipt of CISA notification or independent discovery of a network management interface within the scope of the directive to take one of the following actions:

1. Limit access to the network equipment interface to the internal network, CISA recommends using an isolated management network.
2. Implement Zero Trust measures to enforce interface access control through a policy enforcement point separate from the interface itself (the preferred course of action).

CISA says it will perform scans to identify devices and interfaces that fall within the scope of the directive and notify agencies of its findings.

To facilitate the remediation process, CISA will provide Federal agencies with technical expertise when needed or requested to review the status of specific devices and provide guidance on securing devices.

FCEB agencies will also have access to a dedicated reporting interface and standardized templates for remediation plans in the event that the required timeframe for remediation efforts is exceeded.

Within six months and annually thereafter, CISA will compile and submit an FCEB BOD 23-02 Compliance Status Report to the Director of the Office of Management and Budget (OMB) and the Secretary of the Department of Homeland Security (DHS).

In addition, within two years, CISA will update the guidance to reflect changes in the cybersecurity landscape and revise the implementation tips provided to help agencies effectively identify, monitor and report the network management interfaces they use.

In March, CISA also announced that it would notify critical infrastructure organizations of ransomware-vulnerable devices on their network to help them block ransomware attacks under a new Ransomware Vulnerability Warning Pilot (RVWP) program.