CONTACT

    How to Meet the April 3, 2023 CISA BOD 23-01 Requirements

    Steps and solutions to improve operational visibility on federal networks

    See Which Solutions Are Best For You

    What is BOD 23-01?

    Enhance visibility into agency assets and associated vulnerabilities

    The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) on October 3, 2022 that requires all Federal Civilian Executive Branch (FCEB) agencies to improve asset visibility and vulnerability detection on federal networks. This directive is an extension of the President’s Executive Order on Cybersecurity (14028). All FCEB agencies must take action and report to CISA by April 3, 2023.
    cisa requirements

    What Actions Must All FCEB Agencies Take to Meet BOD 23-01 Requirements?

    By April 3, 2023, all FCEB agencies must deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts. Agencies must demonstration their ability to:

    cisa bod

    Perform automated asset discovery of all IP-addressable assets every 7 days

    bod 23 01

    Initiate vulnerability enumeration every 14 days using privileged credentials

    cisa requirements

    Upload vulnerability results into the Continuous Diagnostics and Mitigation (CDM) Agency Dashboard within 72 hours

    cisa bod

    Initiate asset discovery and vulnerability on demand as required within 72 hours

    How Merlin Can Help

    Fast-track your compliance with BOD 23-01

    Asset discovery

    Applies to all IP-addressable network assets that can be reached over IPv4 and IPv6 protocols

    Scope includes servers and workstations, virtual machines, routers and switches, firewalls, network appliances, and network printers whether in on-premises, roaming, or cloud-operated deployment models

    Scope excludes ephemeral assets and third-party managed SaaS solutions
    Solutions that can help:

    cisa bod bod 23 01 cisa requirements cisa bod bod 23 01 cisa requirements

    See Which Solutions Are Best For YouContact Us

    Vulnerability enumeration

    Vulnerability enumeration performed on managed endpoints and managed network devices must be conducted with privileged credentials (either network-based credentialed scans or client/agent-based)

    Vulnerability detection signatures used must be 24 hours from the last vendor-released signature update

    The same type of vulnerability enumeration must be performed on mobile and other devices that reside outside of agency on-premises networks

    Any alternative asset discovery and vulnerability enumeration methods must be approved by CISA
    Solutions that can help:

    cisa requirements cisa bod bod 23 01 cisa requirements cisa bod

    See Which Solutions Are Best For YouContact Us

    Vulnerability reporting

    Initiate collection and reporting of vulnerability performance data to the CDM Dashboard

    Reporting in Vulnerability reporting clouds data points or measurements that use automation and machine-level data such as logs/events indicating successful credentialed enumeration completion, date/timestamps of enumeration activities, and signature/plug-in update date/timestamps, etc.
    Solutions that can help:

    bod 23 01 cisa requirements cisa bod bod 23 01 cisa requirements

    See Which Solutions Are Best For YouContact Us

    Contact us 

    Connect to one of our team member to learn more on how Merlin can help your agency meet BOD 23-01