10 October 2022
Understanding the DHS Binding Operational Directive 23-01
On October 2, 2022 The Cybersecurity and Infrastructure Security Agency (CISA) published
Binding Operational Directive 23-01
requiring all federal agencies to take the specific steps to improve their asset visibility and vulnerability detection capabilities. Agencies have six months to comply.
To be in compliance with BOD 23-01 Federal agencies must identify network addressable IP-assets in their environments,
along with the associated IP addresses (hosts), as well as to discover and report suspected vulnerabilities on those assets,
including misconfigurations, outdated software, and missing patches.
CISA notes that "Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring,
querying logs, or in the case of software defined infrastructure, API query. Many agencies' existing Continuous Diagnostics and Mitigation (CDM)
implementations leverage such means to make progress toward intended levels of visibility."
However, these methods may not identify all assets on the network, devices not owned by the agency but in use by employees, obsolete or unsupported software and hardware and devices purchased by the agency but which are not in use or missing. The approaches mentioned by CISA may also be time consuming and divert personnel from key operations. In short, an accurate and comprehensive inventory and analysis of the entire IT infrastructure requires a robust IT asset management (ITAM) solution.
xAssets provides a solution that was first approved for SIPRNET and NIPRNET in 2018, it requires no endpoint agents, and it can be
deployed on-site or in the cloud. The xAssets software scans the entire network,
identifies all devices on the network, all installed software and can identify patched and unpatched endpoints.
It can also identify standard and non-standard configurations and through comparative analysis, discovered devices not purchased
by the agency and purchased assets not in use.
The system can be customized to fit an agencies' specific needs and can be fully operational in days,
not months. Actionable information is available shortly after installation.
xAssets software can be acquired for short term (6 month) engagements, on an annual license or installed on-premises for a fixed fee
with subsequent annual maintenance fees. Agencies can purchase it through their LAR, contractor or directly from xAssets.