CISA Issues BOD 23-01 to Improve Asset Visibility — October 3, 2022

On 3 October 2022 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires federal civilian executive branch (FCEB) agencies to implement automated asset discovery every seven days, vulnerability enumeration every 14 days, and maintain full asset inventories. Agencies must develop governance, technology, and outcome testing frameworks to show continuous monitoring effectiveness, with deadlines throughout FY2023.

Directive requirements

BOD 23-01 requires agencies:

• Perform automated asset discovery to identify IPv4 addressable networked assets, with unauthenticated scanning permissible if necessary.
• Implement vulnerability enumeration (authenticated scanning where possible) to detect known vulnerabilities, misconfigurations, and software flaws.
• Initiate remediation processes based on risk severity, using CISA’s Known Exploited Vulnerabilities (KEV) catalog timelines.
• Provide CISA with access to asset and vulnerability data and maintain up-to-date inventories.
• Report completion of milestones through the CyberScope platform.

The directive builds on Executive Order 14028 and Zero Trust strategies, emphasizing measurable outcomes in asset visibility.

Governance and accountability

Agencies must establish governance structures to oversee compliance:

• Executive sponsorship. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should jointly sponsor setup, reporting progress to agency leadership and OMB.
• Policies and procedures. Update cybersecurity policies to reflect asset discovery cadences, vulnerability management workflows, and reporting obligations.
• Risk management. Integrate BOD metrics into enterprise risk management (ERM) and zero trust roadmaps.
• Vendor management. Ensure contractors and managed service providers support scanning requirements and provide data feeds.

Outcome testing should assess governance effectiveness through audit reviews, compliance dashboards, and remediation tracking.

Technology and operational considerations

Agencies may need to modernize tooling:

• Deploy or improve asset discovery tools (for example, passive network monitoring, active scanning, endpoint agents) to cover on-premises, cloud, mobile, and OT environments.
• Integrate vulnerability scanners with asset inventories and ticketing systems to automate remediation workflows.
• Implement continuous diagnostics and mitigation (CDM) capabilities, using CISA-provided services where available.
• Ensure scan credentials, authentication mechanisms, and privileged access are managed securely.

Outcome testing should validate scan coverage, accuracy, and timeliness, including verification of cloud asset discovery and remediation effectiveness.

Measurement and reporting

CISA expects agencies to track metrics such as:

• Percentage of IPv4 addresses scanned within required cadence.
• Number of unique assets discovered over time, highlighting visibility improvements.
• Vulnerability closure timelines, especially for KEV-listed CVEs.
• Authenticated scan coverage and success rates.
• Number of assets lacking inventory records or ownership.

Agencies should build dashboards aligning with OMB Memorandum M-22-09 (Zero Trust Strategy) and integrate metrics into CIO/CISO briefings.

Outcome validation

To show effectiveness, agencies should:

• Conduct penetration tests or red team exercises to identify blind spots in asset discovery.
• Perform quality assurance on scan results, verifying false positives/negatives and ensuring remediation tickets are actioned.
• Correlate vulnerability data with incident response records to assess risk reduction.
• Benchmark performance against CISA targets and peer agencies.

Internal auditors and inspectors general should assess compliance, reporting findings to agency leadership and CISA.

Step-by-step guidance

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Verification steps

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Vendor considerations

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

Planning considerations

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Tracking performance

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Summary and next steps

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

Governance structure

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Ongoing improvement

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 92/100 · November 22, 2022

U.S. DoD Releases Zero Trust Strategy and Roadmap — November 22, 2022

DoD’s 2022 Zero Trust Strategy mandates 45 capabilities and FY2027 outcomes, requiring components and contractors to align governance, architectures, and outcome metrics across zero trust pillars.

Cybersecurity · Credibility 92/100 · September 14, 2022

CISA SBOM Sharing Guidance Operational Playbook — September 14, 2022

CISA’s SBOM Sharing Guidance sets expectations for producers and enterprise customers to automate SBOM generation, secure exchanges, and evidence outcome-focused vulnerability management controls across critical software…

Cybersecurity · Credibility 91/100 · October 25, 2022

TSA Tightens Rail Cybersecurity Directives — October 25, 2022

TSA’s October 2022 rail cybersecurity directives demand verifiable segmentation, monitoring, and patching across operational technology, requiring rail operators to modernize controls, document setup plans, and prove…

Cybersecurity · Credibility 92/100 · October 31, 2022

CISA Cross-Sector Cybersecurity Performance Goals — Adoption Blueprint

CISA’s cross-sector performance goals translate the NIST Cybersecurity Framework into focus ond baseline and improved safeguards for critical infrastructure, requiring governance, testing, and supply chain controls to…

Cybersecurity · Credibility 89/100 · November 1, 2022

OpenSSL 3.0.7 Critical Update — Response and Assurance Checklist

Remember when everyone thought OpenSSL had another Heartbleed on its hands? The November 2022 update fixed two buffer overflow vulnerabilities that were initially flagged as critical but got downgraded to high. Still, if…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

October 3, 2022

Coverage pillar

Cybersecurity

Source credibility

89/100 — high confidence

Topics

CISA BOD 23-01 · Asset visibility · Federal vulnerability management · Outcome testing · Zero trust setup

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

5 min

Further reading

1. Binding Operational Directive 23-01
2. CISA Blog — Improving Asset Visibility and Vulnerability Detection
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization