CISA Issues Binding Operational Directive 24-02 — May 16, 2024

Executive briefing: On 16 May 2024 the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 24-02, requiring federal civilian agencies to mitigate risks from insecure network management interfaces. The directive mandates disabling or securing protocols such as Telnet, SNMPv1/v2c, and TFTP, enforcing MFA on administrative interfaces, and documenting compensating controls for legacy systems.

Directive highlights

• Protocol hardening. Agencies must remove or secure plaintext management protocols on internet-accessible devices within 45 days.
• Authentication controls. Require MFA and strong passwords for all remote administrative access, including console management platforms.
• Reporting obligations. Agencies must submit completion reports to CISA and justify any waivers or extensions.

Control alignment guidance

• NIST SP 800-53 AC-17/SC-12. Align remote access and cryptographic requirements with the directive’s expectations for encrypted management traffic.
• CISA KEV management. Integrate directive tasks with Known Exploited Vulnerabilities remediation tracking to prevent regression.
• Configuration baselines. Update network device hardening guides to eliminate legacy protocols and document compensating controls.

Operational recommendations

• Conduct automated scans to identify exposed management interfaces and validate remediation progress across hybrid environments.
• Coordinate with vendors and managed service providers to replace unsupported hardware or firmware that cannot disable insecure protocols.
• Document waiver requests with risk assessments and remediation plans for submission to CISA if legacy dependencies remain.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 91/100 · May 10, 2024

CISA, FBI, and HHS Warn of Black Basta Ransomware Surge — May 10, 2024

U.S. cyber agencies detailed Black Basta’s tactics and urged critical infrastructure operators to harden remote access and backups.

Cybersecurity · Credibility 91/100 · April 30, 2024

CISA Launches Secure by Design Pledge — April 30, 2024

CISA invited major technology manufacturers to commit to seven measurable secure-by-design goals covering memory-safe languages, MFA by default, and vulnerability disclosure performance.

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defence planning, phased implementation across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to…

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA ordered airport and aircraft operators to harden incident reporting, network segmentation, and access controls under new emergency amendments.

Cybersecurity · Credibility 93/100 · May 7, 2024

Five Eyes Warn on Russian SVR Cloud Intrusions — May 7, 2024

CISA and allied agencies detailed how Midnight Blizzard compromises cloud identity and M365 tenants using password spray and token theft.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.