CISA (Cybersecurity and Infrastructure Security Agency) recently released Binding Operational Directive 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. This directive establishes compulsory baseline requirements for Federal Civilian Executive Branch (FCEB) agencies to identify assets and vulnerabilities on their networks and provide data to CISA at defined intervals. You can find the directive here, and I encourage you to read the full text as it’s very approachable.
What’s New in This Directive? (Teaser: Operational Technology!)
For starters, this is a compulsory direction to FCEB agencies with a deadline: April 3, 2023. This mandate is the next step in CISA’s effort to gain visibility into the risks facing federal networks, risks brought into everyday conversation with the SolarWinds breach in 2020. The wording also points to CISA’s seriousness: while it says the goal is to achieve outcomes without prescribing how to do so, it does clearly list four required actions.
For me, the most interesting aspect of this is its scope: all IP-addressable network assets. This includes operational technology (OT) assets as well as enterprise IT assets. All too often, policies and guidance are written for or tailored to the enterprise IT environment, and the OT networks that abound federal agencies (SCADA, building management, physical security – see my earlier blog on this topic) and constitute critical infrastructure are overlooked. In this directive, CISA has elevated OT networks to the same level of importance as IT networks.
How Cisco Can Help
Cisco can be a trusted partner to FCEB agencies as they work to comply with this directive, both in the IT and OT environments. As the IT environment is familiar to most, I’m going to focus explicitly on the operational side of these agencies and point you to Cisco Cyber Vision, a lightweight, easy-to-use software solution specifically built to bring visibility into OT networks. Cyber Vision serves as the foundational tool as agencies embark on establishing a Zero Trust architecture in their OT environments and enable alignment and/or convergence of their IT and OT environments.
We offer a free evaluation of the production version of Cyber Vision and are happy to help you decide whether it’s the right tool for your agency. Email me or your Cisco representative to learn more and schedule a 1:1 demo.