CISA directive orders federal civilian agencies to regularly report software vulnerabilities

The Cybersecurity and Infrastructure Security Agency announced a Binding Operational Directive on Monday ordering federal civilian agencies to enhance efforts to detect vulnerabilities in their networks, a move that CISA Director Jen Easterly hopes the private sector will emulate.

The Improving Asset Visibility and Vulnerability Detection on Federal Networks, or BOD 23-01, directive is designed to improve “asset visibility and vulnerability detection on federal networks,” Easterly told reporters during a CISA roundtable discussion on Monday. Federal civilian agencies now will be expected to report detailed data about vulnerabilities to CISA at timed intervals using automated tools, she said.

“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” Easterly told reporters. “This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”

The development of the directive “really reflects [CISA’s] rapidly maturing role” of helping agencies improve network visibility, she said, pointing to the Solar Winds supply chain compromise as a prime example of the “gap” in agencies’ awareness of their own threat surface.

By establishing baseline requirements for agencies to use in identifying assets and vulnerabilities, Easterly said the directive gives CISA a much more granular view of federal agencies’ disparate cybersecurity postures. 

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” Easterly said in a press release. “While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks.”