CISA Issues BOD 23-01 to Improve Asset Visibility — October 3, 2022

Executive briefing: On 3 October 2022 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires federal civilian executive branch (FCEB) agencies to implement automated asset discovery every seven days, vulnerability enumeration every 14 days, and maintain comprehensive asset inventories. Agencies must develop governance, technology, and outcome testing frameworks to demonstrate continuous monitoring effectiveness, with deadlines throughout FY2023.

Directive requirements

BOD 23-01 mandates that agencies:

• Perform automated asset discovery to identify IPv4 addressable networked assets, with unauthenticated scanning permissible if necessary.
• Implement vulnerability enumeration (authenticated scanning where possible) to detect known vulnerabilities, misconfigurations, and software flaws.
• Initiate remediation processes based on risk severity, leveraging CISA’s Known Exploited Vulnerabilities (KEV) catalog timelines.
• Provide CISA with access to asset and vulnerability data and maintain up-to-date inventories.
• Report completion of milestones through the CyberScope platform.

The directive builds on Executive Order 14028 and Zero Trust strategies, emphasising measurable outcomes in asset visibility.

Governance and accountability

Agencies must establish governance structures to oversee compliance:

• Executive sponsorship. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should jointly sponsor implementation, reporting progress to agency leadership and OMB.
• Policies and procedures. Update cybersecurity policies to reflect asset discovery cadences, vulnerability management workflows, and reporting obligations.
• Risk management. Integrate BOD metrics into enterprise risk management (ERM) and zero trust roadmaps.
• Vendor management. Ensure contractors and managed service providers support scanning requirements and provide data feeds.

Outcome testing should assess governance effectiveness through audit reviews, compliance dashboards, and remediation tracking.

Technology and operational considerations

Agencies may need to modernise tooling:

• Deploy or enhance asset discovery tools (e.g., passive network monitoring, active scanning, endpoint agents) to cover on-premises, cloud, mobile, and OT environments.
• Integrate vulnerability scanners with asset inventories and ticketing systems to automate remediation workflows.
• Implement continuous diagnostics and mitigation (CDM) capabilities, leveraging CISA-provided services where available.
• Ensure scan credentials, authentication mechanisms, and privileged access are managed securely.

Outcome testing should validate scan coverage, accuracy, and timeliness, including verification of cloud asset discovery and remediation effectiveness.

Metrics and reporting

CISA expects agencies to track metrics such as:

• Percentage of IPv4 addresses scanned within required cadence.
• Number of unique assets discovered over time, highlighting visibility improvements.
• Vulnerability closure timelines, especially for KEV-listed CVEs.
• Authenticated scan coverage and success rates.
• Number of assets lacking inventory records or ownership.

Agencies should build dashboards aligning with OMB Memorandum M-22-09 (Zero Trust Strategy) and integrate metrics into CIO/CISO briefings.

Outcome validation

To demonstrate effectiveness, agencies should:

• Conduct penetration tests or red team exercises to identify blind spots in asset discovery.
• Perform quality assurance on scan results, verifying false positives/negatives and ensuring remediation tickets are actioned.
• Correlate vulnerability data with incident response records to assess risk reduction.
• Benchmark performance against CISA targets and peer agencies.

Internal auditors and inspectors general should assess compliance, reporting findings to agency leadership and CISA.

Implementation timeline

BOD 23-01 set milestones including 3 April 2023 for establishing asset discovery capabilities and 1 April 2023 for vulnerability enumeration readiness, with ongoing cadence requirements thereafter. Agencies must confirm compliance via CyberScope submissions and remediate gaps promptly.

Sources

• CISA Binding Operational Directive 23-01
• CISA BOD 23-01 FAQ
• OMB Memorandum M-22-09
• CISA Known Exploited Vulnerabilities catalog
• CISA Continuous Diagnostics and Mitigation program

Zeph Tech supports federal agencies and contractors in meeting BOD 23-01 by integrating asset discovery, vulnerability management, and outcome analytics into zero trust transformation programs.

Integration with zero trust architectures

BOD 23-01 underpins zero trust initiatives. Agencies should map asset discovery outputs to identity, network segmentation, and policy engines. For example, integrating asset inventories with identity governance platforms ensures that orphaned systems trigger account reviews. Feeding vulnerability data into microsegmentation policies can dynamically restrict access to high-risk assets until remediation is complete. Agencies adopting software-defined perimeters should ensure discovery tools cover cloud workloads, containers, and serverless resources.

Outcome testing can include verifying that newly discovered assets are automatically enrolled into configuration management databases (CMDBs), identity systems, and security monitoring tools. Agencies should test automated quarantine workflows and document success metrics such as reduced dwell time for unmanaged assets.

Data quality and lifecycle management

Maintaining accurate inventories requires robust data quality management. Agencies should establish data stewardship roles, implement deduplication rules, and align naming conventions across systems. Retention policies should define when retired assets are removed from inventories and how historical data is archived for audit purposes. Agencies must ensure that asset metadata—ownership, mission criticality, security categorisation—remains current.

Outcome metrics might track percentage of assets with identified owners, number of stale records removed each quarter, and timeliness of updates after configuration changes. Inspectors general often scrutinise these metrics during FISMA audits.

Collaboration with contractors

Many agencies rely on contractors for system administration. Contracts should include clauses mandating participation in scanning, timely remediation, and data sharing. Agencies should establish secure channels for contractors to submit scan results, while verifying integrity and completeness. Periodic joint reviews help align expectations and ensure contractor-managed systems meet the same standards as government-operated environments.

Metrics automation and visualization

To sustain compliance, agencies should automate reporting pipelines that transform scan outputs into dashboards for executives and technical teams. Leveraging data platforms such as Splunk, ELK, or Power BI can provide near-real-time insights into coverage and remediation trends. Visualisations should highlight high-risk systems, track remediation aging, and showcase progress against zero trust objectives. Publishing dashboards to mission owners builds accountability.

Agencies can partner with the General Services Administration or CISA for shared services that provide common tooling. Documenting automation workflows and access controls ensures transparency during audits.

Agencies should also align asset data with vulnerability exploitability scores such as EPSS to prioritise remediation resources effectively.

Coordinating with the Joint Cyber Defense Collaborative (JCDC) can provide agencies with shared best practices on asset discovery tooling and KEV remediation.

Lessons learned should feed into annual FISMA reporting narratives and OMB maturity assessments.

Agency leadership should review trend reports quarterly to sustain momentum.

Operational drills and enterprise coordination

Run quarterly sprints that benchmark asset discovery tools against CISA’s expectations: full IPv4 and IPv6 space coverage every seven days, enumeration of on-premises and cloud resources, and integration with CDM dashboards. Capture metrics such as percentage of assets discovered within the required window, mean time to onboard new subnets, and false-positive rates. Agencies should also test their vulnerability scanning cadence to ensure all internet-accessible assets are scanned every 72 hours and internal assets every 14 days, as the directive requires.

Because BOD 23-01 emphasises organisational governance, designate a senior accountable official who certifies quarterly to the agency head and CISA that discovery and scanning requirements were met. This official should chair a working group with CIO, CISO, and mission owners, review performance dashboards, approve remediation prioritisation, and document resource requests.

Finally, incorporate BOD 23-01 evidence into zero-trust maturity reporting (OMB M-22-09) and FISMA scorecards. Agencies should keep scripts, API calls, and infrastructure-as-code modules used to automate scanning so they can recreate results during CISA assessments. Sharing lessons learned with peer agencies through CISA’s Federal Cybersecurity Incident Response Teams or the Joint Cyber Defense Collaborative will help the broader community meet the directive’s ambitious cadence.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 92/100 · November 22, 2022

U.S. DoD Releases Zero Trust Strategy and Roadmap — November 22, 2022

DoD’s 2022 Zero Trust Strategy mandates 45 capabilities and FY2027 outcomes, requiring components and contractors to align governance, architectures, and outcome metrics across zero trust pillars.

Cybersecurity · Credibility 40/100 · September 15, 2022

Cybersecurity Briefing — European Commission unveils Cyber Resilience Act proposal

The European Commission presented the Cyber Resilience Act on 15 September 2022, proposing mandatory security requirements and vulnerability handling for connected products sold in the EU.

Cybersecurity · Credibility 92/100 · September 14, 2022

CISA SBOM Sharing Guidance Operational Playbook — September 14, 2022

CISA’s SBOM Sharing Guidance sets expectations for producers and enterprise customers to automate SBOM generation, secure exchanges, and evidence outcome-focused vulnerability management controls across critical software…

Cybersecurity · Credibility 91/100 · October 25, 2022

TSA Tightens Rail Cybersecurity Directives — October 25, 2022

TSA’s October 2022 rail cybersecurity directives demand verifiable segmentation, monitoring, and patching across operational technology, requiring rail operators to modernize controls, document implementation plans, and…

Cybersecurity · Credibility 40/100 · October 25, 2022

Cybersecurity Briefing — ISO/IEC 27001:2022 published

ISO and IEC issued the 2022 revision of ISO/IEC 27001 on 25 October 2022, updating Annex A controls to align with ISO/IEC 27002:2022 and tightening operational technology, cloud, and threat intelligence requirements.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.