← Back to all briefings

Cybersecurity · Credibility 89/100 · · 1 min read

CISA Issues BOD 23-01 to Improve Asset Visibility — October 3, 2022

The directive requires federal civilian agencies to maintain continuous vulnerability scanning and report asset discovery data to CISA.

Executive briefing: On CISA released Binding Operational Directive 23-01, mandating federal civilian executive branch agencies to implement automated asset discovery and vulnerability enumeration. The directive seeks to improve enterprise-wide visibility to counter rapidly exploited vulnerabilities.

Directive requirements

  • Automated asset discovery. Agencies must complete network-wide discovery every seven days and report unique IP-addressable assets to CISA.
  • Vulnerability enumeration. Authenticated vulnerability scanning is required every 14 days across on-premises and cloud environments.
  • Reporting cadence. Monthly data submissions to CISA support centralized analysis and remediation prioritization.

Control alignment guidance

  • NIST SP 800-53 CM-8 and RA-5. Agencies should reconcile directive mandates with existing configuration management and vulnerability scanning controls.
  • Zero trust transition. Integrate discovery feeds into zero trust architecture pilots to improve continuous monitoring of identity, device, and workload assets.
  • Continuous diagnostics and mitigation (CDM). Align reporting outputs with DHS CDM dashboards to streamline compliance.

Operational recommendations

  • Automate credentialed scanning coverage for hybrid environments, including infrastructure-as-a-service and software-as-a-service resources.
  • Consolidate asset inventories from enterprise tools into a single authoritative dataset for monthly submissions.
  • Use directive timelines to justify investments in discovery tools, vulnerability management automation, and staffing.
  • United States
  • CISA
  • Binding Operational Directive
  • Vulnerability management
Back to curated briefings