CISA Issues Binding Operational Directive 24-02 — May 16, 2024
Federal civilian agencies must disable insecure network management protocols and harden remote administration interfaces under CISA’s latest binding directive.
Executive briefing: On the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 24-02, requiring federal civilian agencies to mitigate risks from insecure network management interfaces. The directive mandates disabling or securing protocols such as Telnet, SNMPv1/v2c, and TFTP, enforcing MFA on administrative interfaces, and documenting compensating controls for legacy systems.
Directive highlights
- Protocol hardening. Agencies must remove or secure plaintext management protocols on internet-accessible devices within 45 days.
- Authentication controls. Require MFA and strong passwords for all remote administrative access, including console management platforms.
- Reporting obligations. Agencies must submit completion reports to CISA and justify any waivers or extensions.
Control alignment guidance
- NIST SP 800-53 AC-17/SC-12. Align remote access and cryptographic requirements with the directive’s expectations for encrypted management traffic.
- CISA KEV management. Integrate directive tasks with Known Exploited Vulnerabilities remediation tracking to prevent regression.
- Configuration baselines. Update network device hardening guides to eliminate legacy protocols and document compensating controls.
Operational recommendations
- Conduct automated scans to identify exposed management interfaces and validate remediation progress across hybrid environments.
- Coordinate with vendors and managed service providers to replace unsupported hardware or firmware that cannot disable insecure protocols.
- Document waiver requests with risk assessments and remediation plans for submission to CISA if legacy dependencies remain.