Understanding the DHS Binding Operational Directive 23-01
The Department of Homeland Security (DHS) requires all federal agencies to take specific steps to
improve asset visibility and vulnerability detection capabilities. Agencies have six months to comply
10 October 2022
Ed Cartier

Understanding the DHS Binding Operational Directive 23-01

Introduction

On October 2, 2022 The Cybersecurity and Infrastructure Security Agency (CISA) published Binding Operational Directive 23-01 requiring all federal agencies to take the specific steps to improve their asset visibility and vulnerability detection capabilities. Agencies have six months to comply.

Compliance

To be in compliance with BOD 23-01 Federal agencies must identify network addressable IP-assets in their environments, along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets, including misconfigurations, outdated software, and missing patches.

CISA notes that "Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query. Many agencies' existing Continuous Diagnostics and Mitigation (CDM) implementations leverage such means to make progress toward intended levels of visibility."

However, these methods may not identify all assets on the network, devices not owned by the agency but in use by employees, obsolete or unsupported software and hardware and devices purchased by the agency but which are not in use or missing. The approaches mentioned by CISA may also be time consuming and divert personnel from key operations. In short, an accurate and comprehensive inventory and analysis of the entire IT infrastructure requires a robust IT asset management (ITAM) solution.

Possible Solutions

xAssets provides a solution that was first approved for SIPRNET and NIPRNET in 2018, it requires no endpoint agents, and it can be deployed on-site or in the cloud. The xAssets software scans the entire network, identifies all devices on the network, all installed software and can identify patched and unpatched endpoints. It can also identify standard and non-standard configurations and through comparative analysis, discovered devices not purchased by the agency and purchased assets not in use. The system can be customized to fit an agencies' specific needs and can be fully operational in days, not months. Actionable information is available shortly after installation.

xAssets software can be acquired for short term (6 month) engagements, on an annual license or installed on-premises for a fixed fee with subsequent annual maintenance fees. Agencies can purchase it through their LAR, contractor or directly from xAssets.

Fighter Plane Image

Read more

Security in xAssets Solutions
Best Practices in IT Asset Management
Best Practices in Software Asset Management
Best Practices in Fixed Asset Management
© xAssets 2022 All rights reserved.