Asset Visibility is Key in Addressing CISA’s BOD 23-01
Tanium can help federal agencies respond to Binding Operational Directives quickly
On October 3, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a new Binding Operational Directive (BOD 23-01). It requires U.S. federal civilian agencies to do automated scans of their networks at least every 7 days for unknown assets, and at least every 14 days for vulnerability scans against all detected devices. In addition, the directive requires agencies to send this data to CISA’s Continuous Diagnostics and Mitigation (CDM) program dashboard within 72 hours of completion.
What are Binding Operational Directives?
Binding Operational Directives (BODs) that secure U.S. civilian agencies are released frequently to keep up with the rapid pace of new cyber threats. BODs provide CISA with a mechanism to both release new guidance based on the latest threats and reduce the federal government’s attack surface as quickly as possible. Some BODs also include aggressive turnaround times for discovering and patching vulnerabilities. That’s the case with BOD 23-01 and its CDM dashboard requirement.
Such quick responses can be difficult for federal agencies to achieve. Many rely on legacy software and hardware, and their operations are often siloed.
A new area of focus is asset visibility. It’s important given both the increased cyber risk the government faces and the new emphasis on reducing IT complexity. Asset visibility is also the topic of BOD 23-01.
What is asset visibility, anyway?
Asset visibility, in this context, refers to the ability of an IT or security team to discover the physical devices connected to a network. These devices can include servers, workstations, phones, laptops and more. Also included in the general definition of assets are virtual machines, containers, switches and firewall appliances. Basically, if an asset is connected to the network, it should also be visible.
However, getting full visibility into all these assets is notoriously difficult, especially when an agency is using the fewest tools possible and aiming for the highest possible accuracy and speed. Many legacy tools can scan for only certain operating systems, while others can find only managed devices (that is, devices that have an agent for a given tool installed). Still, others can find only assets on VPN-connected networks, missing the growing population of remote devices.
These challenges can lead to IT complexity by proliferating point tools aimed at reducing an organization’s attack surface. Very few platforms can address the combined challenges with speed and accuracy.
This is where Tanium can help. Tanium was built for the world’s most demanding environments. It’s now used by many U.S. government agencies to help solve the exact challenge outlined by BOD 23-01. Thanks to Tanium’s single platform and single agent, U.S. agencies can easily address BOD 23-01’s requirements by using Tanium to take the following actions:
- See, control and remediate managed assets
- See and report on unmanaged assets; bring Windows, Mac or Linux endpoints under management; and then remediate any issues found
- Push the required data to the CDM dashboard
Unlike Tanium, the legacy tools commonly used for these types of scans take too long to return their data. What’s more, that data is subsequently out-of-date and incomplete. And it typically includes only managed assets.
With Tanium, federal agencies can instead scan their entire environment and return results in minutes or seconds, not days or weeks. They can then push that data to the CDM dashboard with ease.
What’s the impact of a lack of visibility?
Unmanaged devices present a serious risk to the security and stability of federal networks. Identifying what’s on these devices can be a daunting challenge, one that’s difficult to solve without excessive cost or performance impact. BOD 23-01 goes beyond basic device visibility by requiring federal civilian executive branch (FCEB) agencies to identify vulnerabilities on both managed and unmanaged devices.
Knowing what’s on the network is step one, and here, Tanium can help. Many federal agencies already use Tanium for this exact use case. They know Tanium is a trusted and reliable solution that not only meets CISA’s requirements for visibility and vulnerability management, but also exceeds them.
Once Tanium has given an agency visibility into its networks, step two involves scanning those devices to determine whether vulnerabilities exist. Tanium can do these scans using a client-based method that is much faster and more accurate than other tools, yet with less impact on the network and endpoints. Unmanaged devices can also be scanned remotely with Tanium, using either credentialed or unauthenticated scan methods.
What about pushing data to the CDM dashboard?
Several federal agencies already use Tanium to send timely and accurate data to the CDM dashboard. Tanium Connect is data-agnostic and can send data and reports on whatever schedule is required, always keeping the dashboard up-to-date.
What else is possible with Tanium?
In addition to finding devices and scanning them for vulnerabilities, Tanium provides solutions for tracking and remediating those devices.
Tanium’s additional capabilities can help agencies:
- Get detailed visibility and reporting of hardware and software assets
- Track and visualize progress with graphs and charts
- Simplify the process of keeping Windows, Mac and Linux operating systems up-to-date
- Easily install, remove and update software quickly and efficiently, regardless of the network’s complexity
If you’re an existing Tanium customer and you want more information on how Tanium can help you address BOD 23-01, please see our Community article here.
To find out more about Tanium’s capabilities, see how Tanium helped U.S. Federal agencies address CISA’s BOD 22-01 earlier this year. Or, learn about our no-cost, no-obligation risk assessment here.
See Tanium’s solutions for responding quickly and comprehensively to things like BOD 22-01, released earlier this year, and whatever comes in the future.