The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive mandating that agencies report vulnerability enumeration performance data to improve CISA’s operational visibility into federal networks.
The BOD 23-01, titled “Improving Asset Visibility and Vulnerability Detection on Federal Networks,” establishes baseline requirements for agencies to identify assets and vulnerabilities on their networks and submit reports to CISA at regular intervals, the agency said Monday.
Beginning on April 3, 2023, all federal agencies must perform automated asset discovery every seven days and report identified vulnerabilities on the assets every 14 days.
“Knowing what’s on your network is the first step for any organization to reduce risk. While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in this directive to gain a complete understanding of vulnerabilities that may exist on their networks,” Easterly added.