How to Meet the April 3, 2023 CISA BOD 23-01 Requirements

Steps and solutions to improve operational visibility on federal networks

See Which Solutions Are Best For You

What is BOD 23-01?

Enhance visibility into agency assets and associated vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) on October 3, 2022 that requires all Federal Civilian Executive Branch (FCEB) agencies to improve asset visibility and vulnerability detection on federal networks. This directive is an extension of the President’s Executive Order on Cybersecurity (14028). All FCEB agencies must take action and report to CISA by April 3, 2023.
cisa requirements

What Actions Must All FCEB Agencies Take to Meet BOD 23-01 Requirements?

By April 3, 2023, all FCEB agencies must deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts. Agencies must demonstration their ability to:

cisa bod

Perform automated asset discovery of all IP-addressable assets every 7 days

bod 23 01

Initiate vulnerability enumeration every 14 days using privileged credentials

cisa requirements

Upload vulnerability results into the Continuous Diagnostics and Mitigation (CDM) Agency Dashboard within 72 hours

cisa bod

Initiate asset discovery and vulnerability on demand as required within 72 hours

How Merlin Can Help

Fast-track your compliance with BOD 23-01

Asset discovery

Applies to all IP-addressable network assets that can be reached over IPv4 and IPv6 protocols

Scope includes servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers whether in on-premises, roaming, or cloud-operated deployment models

Scope excludes ephemeral assets and third-party managed SaaS solutions
Solutions that can help:

See Which Solutions Are Best For YouContact Us

Vulnerability enumeration

Vulnerability enumeration performed on managed endpoints and managed network devices must be conducted with privileged credentials (either network-based credentialed scans or client/agent-based)

Vulnerability detection signatures used must be 24 hours from the last vendor-released signature update

The same type of vulnerability enumeration must be performed on mobile and other devices that reside outside of agency on-premises networks

Any alternative asset discovery and vulnerability enumeration methods must be approved by CISA
Solutions that can help:

See Which Solutions Are Best For YouContact Us

Vulnerability reporting

Initiate collection and reporting of vulnerability performance data to the CDM Dashboard

Reporting in Vulnerability reporting clouds data points or measurements that use automation and machine-level data such as logs/events indicating successful credentialed enumeration completion, date/timestamps of enumeration activities, and signature/plug-in update date/timestamps, etc.
Solutions that can help:

See Which Solutions Are Best For YouContact Us

Contact us 

Connect to one of our team member to learn more on how Merlin can help your agency meet BOD 23-01