Breaking Down The Impacts Of The CISA BOD-23-01

 

As I mentioned in a blog this past weekend, when compared to many of the other previous Administrations, the one being led by Biden has done, IMHO, the most for Cybersecurity.

True, all of it may not be enacted it because of all of the political mudslinging that is going on right now, but the fact remains that least Biden is aware of the Cyber Threat Landscape that is on us today, and he is trying to do something about it.

Well today (ironically on the 4^th of July), I just came across a news article that addresses a new effort for the government sector.  This is being led by the United States Cybersecurity and Infrastructure Security Agency, also known as “CISA” for short. 

Their new directive is entitled “Binding Operational Directive 23-01”, or also known as the “BOD 23-01” for short.

But believe it or not, it is not targeted towards the private sector or Corporate America.  Rather, it is geared towards the Federal Government itself.  One of the main reasons driving this new piece of legislation are the vulnerabilities that the Critical Infrastructure has today. 

Ultimately, it is our own government that is responsible for the safety of them, and in turn, the various governmental agencies at the state and local levels also need  them.

So given this double-edged sword,  it is no wonder that something like this is needed. But the interesting thing about this is that it is not geared at beefing up any lines of defenses, but rather, its primary objective is to give a framework for the Federal Government to identify where all of its assets are, and from there, find out where all of the vulnerabilities lie at.

There are two key aspects of this new directive, which are as follows:

1)     Asset Discovery:

The definition here of what an asset is anything that is connected to a Network Infrastructure.  This will primarily involve determining all of the IP addresses of these particular assets.  But as we all know, even with the Federal Government they make use of the Cloud as well, most notable that of the Azure.  With this, things can get complex very quickly, and this is yet another impetus for this new act.  But there will also be a special focus on those devices that are considered to be “BYOD”, or any other unauthorized device that is making unauthorized usage of network resources.  Once these are identified, then further steps will be taken to completely eradicate them, as they can pose a serious risk as well.

2)     Vulnerability Enumeration:

This is essentially conducting a Vulnerability Scan, but on a more sophisticated level.  THE following are what will be the focus when a scan is being done:

*Operating Systems

*Software Applications that are hosted on servers

*Open Ports

*Determining if any software apps are close to reaching their “End of Life.”

*Finding out what software patches are missing and that need to be immediately applied

*Locating any misconfigurations

*Determining if there is any sort of deviation to baseline levels when compared to what the security policies mandate.

But the enforcement of this new act is going to be rather strict, with the following mandates:

*These tests have to be run every seven days.

Software vulnerabilities must be assessed for Privileged Access Management (PAM) accounts.

*There must be an inventory of all assets maintained all of the time, and which can be accessible.

*All of the results from the tests done must also be sent to the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard, which is a service maintained by CISA.

My Thoughts On This:

A couple of things stand out as I write about this:

*CISA does not exactly specify how the various governmental agencies are to come into compliance with this new act, but as long as they meet the above-mentioned requirements within the timeframes set forth.

*It is highly likely that the Federal Government will need to make use of automation tools, such as that of AI and ML.  But the paradox here is that many of the Network Infrastructures of the government are still legacy base, so using automation may or may not work as effectively.

*There will be no additional funding that will be provided for the various government agencies to conduct these tests on a regular basis.  Rather, they will have to use their own resources already to hand.

With the last point, this means that there could be more opportunities for the private sector to fill in any lack of resources. 

I have to be honest about one thing:  If CISA is going to mandate these kinds of tests to see where all of the vulnerabilities are, why not take it further, and make it mandatory that the appropriate controls are also implemented at the same time?  Would this not help to protect our Critical Infrastructure even more, and to improve the security posture of the Federal Government???

Finally, more details about the BOD 23-01 can be seen at the link below:

https://www.darkreading.com/attacks-breaches/will-new-cisa-guidelines-help-bolster-cyber-defenses-