Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How Tenable Helps Federal Agencies Meet CISA’s Binding Operational Directive 23-01

CISA’s Binding Operational Directive 23-01

Here's how to leverage Tenable solutions to achieve compliance with BOD 23-01 from the Cybersecurity and Infrastructure Security Agency (CISA).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released Binding Operational Directive (BOD) 23-01. A BOD is a compulsory direction to U.S. federal, executive branch departments and agencies for purposes of safeguarding federal information and information systems. U.S. federal agencies are required to comply with these directives.

BOD 23-01 mandates continuous and comprehensive asset visibility, focusing on two core activities that are essential to maintaining a successful cybersecurity program:

  • Asset discovery
  • Vulnerability enumeration

According to BOD 23-01, "Continuous and comprehensive asset visibility is a basic pre-condition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise."

This directive applies to all IP-addressable networked assets that can be reached over IPv4 and IPv6 protocols. It builds on BOD 22-01 and outlines new requirements for cloud assets, IPV6 address space, and operational technology (OT) in an effort to reduce cyber risk.

Asset discovery and vulnerability enumeration

If you don't know an asset exists, you can't scan it for vulnerabilities. The BOD states: "Asset discovery is a building block of operational visibility." Specifically, the BOD defines asset discovery as "the process of checking an IPv4 or IPv6 network for active and inactive hosts (e.g., networked assets) by using a variety of methods."

The most common discovery methods are:

  • Active scanning to communicate with all IP addresses
  • Passive scanning to monitor traffic and detect activity from any new assets
  • External attack surface management for internet-facing asset identification

Once assets are discovered, vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. Potential vulnerabilities often arise from outdated software versions, missing updates and misconfigurations. To fully understand the vulnerability posture of an asset, agencies should utilize network-based credentialed scans or install a client on the host endpoint.

New requirements

To meet citizens' needs, federal agencies are embracing digital technologies, including mobile, internet of things (IoT) and cloud, trends that increase the number and variety of asset types in their environments. To combat new threats and the expanding attack surface, a flurry of new solutions have emerged causing an evolution in vulnerability assessment capabilities, frequency and depth.

To provide additional visibility into the variety of assets that make up the modern attack surface and help agencies understand the full scope of their cybersecurity risk, BOD 23-01 adds non-ephemeral cloud assets, IPV6 address space and operational technology to the list of asset types needing to be addressed. These additions cover devices that traditionally have been vulnerable points and have represented potential soft targets that could be leveraged in an attack.

How Tenable helps agencies address CISA BOD 23-01 requirements

Tenable is positioned to help give U.S. federal agencies comprehensive visibility into the assets and vulnerabilities across their organization, including new BOD 23-01 requirements. Specifically, Tenable capabilities provide visibility into:

  • External unknowns. As more assets, services and applications become connected to the internet, security teams are often unaware of their complete external footprint. Tenable.asm is an external attack surface management solution that continuously maps the entire internet and discovers connections to internet-facing assets, a critical step in securing assets that were previously unknown to cybersecurity. Agencies can utilize that information to assess the security posture of the entire external attack surface.
  • Cloud workloads and resources. Tenable.cs provides cloud security posture management and assessment of cloud assets through frictionless assessment and Tenable.io cloud connectors. Agencies can automatically assess the configuration of cloud virtual machine stances without having to deploy additional software or scanners.
  • Operational technology. Enumerating OT assets and critical infrastructure and vulnerabilities brings unique challenges to federal agencies. In contrast to the IT environment, where patching, upgrading and replacing systems is the norm, an OT environment typically requires working with legacy technologies, some of which pre-date the internet era. Tenable.ot supports a breadth of OT vendors, offering a detailed view of OT and IT assets in the OT environment, maps the connections between the devices and helps identify high risk assets so agencies can prioritize their remediation efforts.
  • Network infrastructure and endpoints. Federal agencies often struggle to discover vulnerabilities on assets not supported by agents or on assets where agents don't play a part. With Tenable.sc+ and FedRAMP-authorized Tenable.io, Tenable is uniquely positioned to ensure federal agencies get a comprehensive analysis of their assets by using credentialed scans, network- or agent-based assessments, and passive vulnerability enumeration. This ensures all assets are scanned and analyzed, including sensitive devices that are challenging to create policies for or are difficult to harden. Tenable's comprehensive asset discovery capabilities (including the ability to run credentialed scans on all devices) will also help you address requirements in BOD 22-01 to find and fix known exploited vulnerabilities.
  • Web applications. Web applications are often the gatekeepers to a wealth of citizen and government data, making web application security a top priority. However, modern web frameworks and components inhibit traditional vulnerability assessment techniques. FedRAMP-authorized Tenable.io Web Application Scanning is designed to gain full visibility into modern web apps. These capabilities ensure agencies understand the page structure and layout of web applications and provide security teams with a full analysis to discover not only the OWASP Top 10 vulnerabilities, but also component vulnerabilities, deeper dives into injections and scripting, and in-depth informational details.
  • Identity systems. As agencies move towards a Zero Trust Architecture and take a "trust no one" approach to security, the security of your underlying identity system itself comes into play. To ensure your identity system is secure, Tenable.ad allows you to identify everything in your complex AD environment, predict what matters to reduce risk and eliminate attack paths before attackers exploit them.

Tenable has recently introduced the Tenable One Exposure Management Platform, which can help agencies gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal agency performance. Tenable One includes many of the Tenable solutions described above and allows agencies to translate technical asset, vulnerability and threat data into clear business insights and actionable intelligence for security executives and practitioners.

Learn more

Find out how Tenable can help protect your agency against cyberattacks— and ensure you have full visibility to all vulnerabilities across your agency — all while demonstrating compliance with diverse regulations, standards and directives.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until February 28th.
Buy a multi-year license and save more.

Add Support and Training