How Palo Alto Networks Cortex Helps Federal Agencies Comply with CISA’s Binding Operational Directive 23-01

In October 2022, the U.S. Department of Homeland Security(DHS), along with the Cybersecurity & Infrastructure Security Agency(CISA), issued Binding Operational Directive 23-01 (BOD 23-01), which instructs Federal agencies to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”

BOD 23-01 supports and enhances other recent cybersecurity directives, including Executive Order 14028 on Improving the Nation’s Cybersecurity and BOD 22-01, which introduced a list of Known Exploited Vulnerabilities (KEVs) that threat actors have exploited. In another blog post, we have previously highlighted how Cortex Xpanse can identify CISA-identified Known Exploited Vulnerabilities.

What is BOD 23-01?

BOD 23-01 requires agencies to enhance asset discovery and vulnerability enumeration capabilities to secure their public-facing internet assets. This involves continuously and comprehensively discovering an organization’s known and unknown internet-connected assets to eliminate gaps in their security posture. Xpanse can help Federal agencies vastly scale their ability to perform these critical cybersecurity functions.

Federal cybersecurity leaders must be able to answer three critical questions in the event of an emerging threat, zero-day event, or vulnerability management initiative:

  1. Do I own the affected systems or assets?
  2. Are they vulnerable to the exploit(s)?
  3. Have they been compromised?

Palo Alto Networks Cortex capabilities, including Xpanse and Cortex XSOAR, leverage analytics, AI, and automation to discover and inventory agencies’ entire attack surface, identify potential misconfiguration and vulnerabilities, and stitch together internal and external data to drive rapid situational understanding and remediation action.

Xpanse and Cortex XSOAR help Federal agencies address Required Actions, Reporting Requirements, and Metrics laid out in BOD 23-01

Xpanse can help Federal Civilian Executive Branch (FCEB) agencies rapidly comply with many of the new requirements put in place by BOD 23-01:

  • Perform automated asset discovery every seven days. While many methods and technologies can be used to accomplish this task, at minimum, this discovery must cover the entire IPv4 space used by the agency.

The Xpanse Attack Surface Management platform performs automated asset discovery across the global internet on a sub-daily basis and refreshes scan observations in the platform every 24 hours. Some cloud assets move rapidly between multiple IP addresses, making it difficult to track their movement across the internet with a less regular discovery cadence. Xpanse ensures that your attack surface data is always up-to-date.

  • Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.

Xpanse automatically surfaces more than 500 unique issues and inferred vulnerabilities across your attack surface and prioritizes those risks based on industry best practices. The Xpanse Cyber Research Engineering team can enumerate additional vulnerabilities through customized out-of-product techniques and may test for vulnerability status with legal approval from a duly authorized agency official.

Cortex XSOAR can ingest Xpanse observations and initiate scanning playbooks that integrate with internal tools and datasets, such as your organization’s vulnerability management scanner (e.g., Tenable Nessus, Rapid7 InsightVM, etc.).

  • Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion (or initiation of a new discovery cycle if previous full discovery has not been completed).

All Expander data, including issue and inferred vulnerability data, is available via API and can be connected to a wide variety of tools and services via out-of-the-box integrations. Palo Alto Networks also offers professional services support to build custom integrations for products that do not have a pre-built integration.

  • Develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within seven days of request.

In addition to Xpanse’s sub-daily scanning cadence, our Cyber Research Engineering team can perform ad hoc, on-demand scanning of customer assets. These scans are highly configurable to discover and identify specific services, devices, and associated vulnerabilities. Results are typically available within hours of the request.

The Xpanse ASM Platform is the foundation of asset visibility and vulnerability detection on Federal networks

Xpanse’s global asset discovery, identification, and attribution capabilities can enhance FCEB agencies’ existing tools and processes to continuously monitor the USG’s Federal Civilian digital attack surface. The Expander platform also creates a common operating picture for both users and integrated tools, serving as the single source of truth for the full universe of publicly accessible assets and helping to better target internal scanners and vulnerability management programs.

Xpanse creates a complete system of record of all of an agency’s internet-facing assets, detects potential vulnerabilities for immediate remediation, assesses internet asset compliance with CISA directives (such as BODs 18-01 and 22-01) and internet communication policies, and provides real-time, ongoing tracking and awareness with centralized reporting.

Leveraging XSOAR, agencies can automate the vulnerability management and reporting process by searching for vulnerable assets, correlating threat intelligence, identifying the asset owner, and verifying compliance using the agency’s VM scanning platform. Results can be reported in near-real-time via dashboards and other reporting.

As the foundation of a holistic cybersecurity ecosystem, Xpanse and XSOAR can rapidly improve agencies’ asset inventory and vulnerability enumeration capabilities and bring them into compliance with CISA’s new BOD 23-01.

To learn more about how Xpanse can help you address BOD 23-01, watch our product tour here.