CISA Issues Binding Operational Directive 24-02 — May 16, 2024

High-level summary

On 16 May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 24-02, requiring federal civilian executive branch agencies to mitigate risks from insecure network management interfaces. The directive mandates disabling or securing protocols such as Telnet, SNMPv1/v2c, and TFTP, enforcing multi-factor authentication on administrative interfaces, and documenting compensating controls for legacy systems that cannot meet baseline requirements.

Directive Scope and Applicability

BOD 24-02 applies to all federal civilian executive branch (FCEB) agencies and addresses a critical attack surface that adversaries routinely exploit:

• Covered entities: All FCEB agencies need to comply with the directive's requirements within specified timelines.
• Targeted systems: Network infrastructure devices including routers, switches, firewalls, load balancers, wireless controllers, and management platforms.
• Internet exposure focus: Priority attention is given to devices with management interfaces accessible from the internet, though internal systems should also be hardened.
• Contractor implications: Federal contractors operating network infrastructure on behalf of agencies may be affected through contract flow-down requirements.

Prohibited Protocols and Services

The directive identifies specific insecure protocols that must be disabled or replaced:

• Telnet: Clear-text terminal access protocol that transmits credentials and commands without encryption, enabling interception through network monitoring.
• SNMPv1/v2c: Legacy Simple Network Management Protocol versions using community strings rather than cryptographic authentication, vulnerable to spoofing and data exposure.
• TFTP: Trivial File Transfer Protocol lacking authentication, commonly used for configuration and firmware distribution on network devices.
• HTTP management: Unencrypted web-based administration interfaces that expose credentials and configuration data to network observers.
• Clear-text syslog: Unencrypted logging protocols that may expose sensitive operational data during network transit.

Required Security Controls

BOD 24-02 mandates setup of specific security controls for management interfaces:

• Protocol encryption: Replace clear-text protocols with encrypted alternatives: SSH instead of Telnet, HTTPS instead of HTTP, SNMPv3 instead of v1/v2c.
• Multi-factor authentication: Require MFA for all administrative access to network devices, including console management platforms and jump servers.
• Strong passwords: Implement password complexity requirements and rotation policies for local device accounts where centralized authentication is unavailable.
• Access restrictions: Limit management interface access to authorized networks, management VLANs, or bastion hosts.
• Logging requirements: Enable authentication logging and administrative command auditing on all network devices.

Schedule and deadlines

The directive establishes specific deadlines for agency compliance:

• 45-day requirement: Agencies must remove or secure insecure management protocols on internet-accessible devices within 45 days of directive issuance.
• MFA setup: Multi-factor authentication must be implemented for all administrative access within specified timeframes based on system criticality.
• Reporting deadlines: Agencies must submit completion reports to CISA documenting compliance status and any outstanding exceptions.
• Waiver requests: Extensions or waivers for legacy systems require formal risk assessment documentation and remediation plans.

Legacy System Considerations

Organizations with legacy equipment that cannot meet baseline requirements must implement compensating controls:

• Network isolation: Place legacy devices on isolated network segments with restricted access from other network zones.
• Jump server access: Require all management access through hardened bastion hosts with MFA and full logging.
• Enhanced monitoring: Implement additional detection and alerting for legacy device management traffic.
• Upgrade planning: Document timelines for replacing legacy equipment that cannot be adequately secured.
• Risk acceptance: Formalize risk acceptance decisions for systems where compensating controls are insufficient.

Control Framework Alignment

BOD 24-02 requirements align with established security frameworks and controls:

• NIST SP 800-53 AC-17: Remote access controls requiring encrypted communications and multi-factor authentication.
• NIST SP 800-53 SC-12: Cryptographic key establishment and management requirements for encrypted protocols.
• NIST SP 800-53 IA-2: Identification and authentication requirements for privileged users.
• CIS Controls: Secure configuration, account management, and audit logging controls.
• Zero trust principles: Never trust, always verify approach to network management access.

Implementation Approach

Agencies should follow a structured approach to BOD 24-02 compliance:

• Asset inventory: Identify all network infrastructure devices and their current management protocol configurations.
• Exposure assessment: Determine which devices have management interfaces accessible from the internet or untrusted networks.
• Protocol audit: Document current use of insecure protocols and identify replacement requirements.
• Remediation planning: Develop focus ond remediation plans addressing highest-risk systems first.
• Testing: Validate that protocol changes do not impact operational requirements before production deployment.
• Documentation: Maintain evidence of compliance for CISA reporting and audit purposes.

Vendor and MSP Coordination

Effective setup requires coordination with external parties:

• Hardware vendors: Verify that network equipment supports required secure protocols and authentication methods.
• Managed service providers: Coordinate with MSPs to ensure their management practices align with directive requirements.
• Firmware updates: Identify devices requiring firmware upgrades to support SNMPv3, stronger encryption, or MFA integration.
• Replacement planning: Work with vendors to identify upgrade paths for equipment that cannot meet requirements.

Monitoring and Detection

If you are affected, implement monitoring to detect policy violations and potential attacks:

• Alert on use of prohibited protocols (Telnet, SNMPv1/v2c) from unauthorized sources
• Monitor for management interface access from unexpected IP addresses
• Detect authentication failures and potential brute-force attacks against device management
• Track configuration changes to network devices for unauthorized modifications
• Baseline normal administrative activity patterns to identify anomalies

Private Sector Relevance

While BOD 24-02 directly applies only to federal agencies, private sector you should consider similar hardening:

• Insecure management protocols represent common attack vectors regardless of sector
• Regulatory frameworks now require encrypted management access
• Insurance carriers may evaluate network management security as part of underwriting
• Supply chain security requirements may flow down from federal customers

Closing analysis

BOD 24-02 addresses a significant attack surface that adversaries have exploited in numerous compromises. The directive's requirements for eliminating insecure protocols, implementing multi-factor authentication, and hardening management interfaces represent security good practices applicable beyond federal environments. If you are affected, use this directive as an opportunity to comprehensively assess and improve their network infrastructure management security posture.

See also

Selected articles on related subjects.

Cybersecurity · Credibility 91/100 · May 10, 2024

CISA, FBI, and HHS Warn of Black Basta Ransomware Surge — May 10, 2024

CISA's Black Basta ransomware advisory provided detailed TTPs and IOCs. The group targets healthcare and critical infrastructure using double extortion. Review the technical indicators and ensure your detection…

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defense planning, phased setup across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to threat…

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA's aviation cybersecurity directives continue to evolve. Airlines, airports, and aviation service providers face mandatory incident reporting, cybersecurity assessments, and vulnerability management requirements. If…

Cybersecurity · Credibility 91/100 · May 7, 2024

Five Eyes Warn on Russian SVR Cloud Intrusions — May 7, 2024

CISA, FBI, and NSA released an advisory on Russian SVR cloud exploitation techniques. State-sponsored actors are targeting cloud environments through compromised credentials and exploiting trust relationships. Review…

Cybersecurity · Credibility 93/100 · April 30, 2024

White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

National Security Memorandum-22 replaces PPD-21 and modernizes U.S. critical infrastructure risk management, information sharing, and regulatory coordination.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

May 16, 2024

Coverage pillar

Cybersecurity

Source credibility

93/100 — high confidence

Topics

United States · CISA · Binding Operational Directive · Network security

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

5 min

Cited sources

1. CISA Binding Operational Directive 24-02
2. CISA Blog — Acting on BOD 24-02
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization