CISA directive orders federal civilian agencies to regularly report software vulnerabilities

CISA Director Jen Easterly said the directive will give the agency more insight into federal civilian agencies' cybersecurity practices.
Jen Easterly, CISA director, swearing-in ceremony
Jen Easterly speaks at her swearing-in ceremony as director of the Cybersecurity and Infrastructure Security Agency on Aug. 9, 2021, at CISA headquarters in Arlington, Virginia. (Department of Homeland Security / Flickr)

The Cybersecurity and Infrastructure Security Agency announced a Binding Operational Directive on Monday ordering federal civilian agencies to enhance efforts to detect vulnerabilities in their networks, a move that CISA Director Jen Easterly hopes the private sector will emulate.

The Improving Asset Visibility and Vulnerability Detection on Federal Networks, or BOD 23-01, directive is designed to improve “asset visibility and vulnerability detection on federal networks,” Easterly told reporters during a CISA roundtable discussion on Monday. Federal civilian agencies now will be expected to report detailed data about vulnerabilities to CISA at timed intervals using automated tools, she said.

“We have said consistently that we are on an urgent path to gain visibility into risks facing federal civilian networks,” Easterly told reporters. “This is a movement essentially to allow CISA, in its role as operational lead for federal cybersecurity, to manage federal cybersecurity as an enterprise.”

The development of the directive “really reflects [CISA’s] rapidly maturing role” of helping agencies improve network visibility, she said, pointing to the Solar Winds supply chain compromise as a prime example of the “gap” in agencies’ awareness of their own threat surface.


By establishing baseline requirements for agencies to use in identifying assets and vulnerabilities, Easterly said the directive gives CISA a much more granular view of federal agencies’ disparate cybersecurity postures. 

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” Easterly said in a press release. “While this directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks.”

Suzanne Smalley

Written by Suzanne Smalley

Suzanne joined CyberScoop from Inside Higher Ed, where she covered educational technology and from Yahoo News, where she worked as an investigative reporter. Prior to Yahoo News, Suzanne worked as a consultant to the economist Raj Chetty as he launched his Harvard-based research institute Opportunity Insights. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and covered two presidential campaigns for Newsweek. She holds a masters in journalism from Northwestern and a BA from Georgetown. A Miami native, Suzanne lives in upper Northwest Washington with her family.

Latest Podcasts