CISA Binding Operational Directive (BOD) 23-01

What is CISA Binding Operational Directive 23-01?

Binding Operational Directive (BOD) 23-01 was issued in October 2022 by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security. The purpose of BOD 23-01 is to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.” It focuses on two primary objectives: asset discovery and vulnerability enumeration.

Who is the intended audience?

This Directive applies to all Federal Civilian Executive Branch (FCEB) departments and agencies of the United States government and any FCEB unclassified federal information systems.

Where can I find more information?

The following resources are available on the Cybersecurity and Infrastructure Security Agency website:

How can runZero help me with these controls?

BOD 23-01 requires FCEB departments and agencies to perform automated asset discovery every 7 days. This applies to all IP-addressable assets across both IT and OT networks and includes on-premise and cloud-based assets. runZero can continually discover assets across IT and OT networks using unauthenticated active scanning technology. runZero is especially suited for scanning critical IoT and OT systems due to the fact that it only uses RFC standard traffic (i.e. no malformed packets) and does not attempt to exploit vulnerabilities. The scan rate is also configurable for low bandwidth networks and legacy devices. runZero also integrates with Amazon Web Services, Google Cloud Platform, and Microsoft Azure to ingest compute instances, load balancers, and other cloud-based assets to provide a comprehensive view into all assets that fall within the scope of BOD 23-01.

Additionally, BOD 23-01 calls for FCEB departments and agencies to initiate vulnerability enumeration across all discovered assets every 14 days. runZero integrates with vulnerability management platforms to ingest vulnerability data for every asset, providing a single view into all discovered assets and associated vulnerabilities. runZero can also help organization with findings gaps in their vulnerability scanning, such as easily identifying assets that have not been scanned for vulnerabilities within the last 14 days.

Related runZero Resources