The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive today that requires Federal civilian agencies to take action to protect network management interfaces from the public-facing internet.
The Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces issued by CISA today “requires Federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery,” the agency said.
CISA said the directive “establishes core security actions to reduce cyber risk to the Federal Civilian Enterprise.”
The directive was issued in light of “recent threat campaigns” that “underscore the grave risk to the Federal enterprise posed by improperly configured network devices,” the agency said.
“As part of CISA and the broad U.S. government’s effort to move the Federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the Federal government networks,” CISA said.
“Too often, threat actors are able to use network devices to gain unrestricted access to organizational networks, in turn leading to full-scale compromise,” commented CISA Director Jen Easterly in an agency press release. “Requiring appropriate controls and mitigations outlined in this Directive is an important step in reducing risk to the Federal civilian enterprise.”
Easterly urged other organizations to heed the same directive. “While this Directive only applies to Federal civilian agencies, as the threat extends to every sector, we urge all organizations to adopt this guidance,” the CISA director said. “When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”
CISA explained that the binding operational directive “is a compulsory direction to Federal, executive branch, departments and agencies for purposes of safeguarding Federal information and information systems.” The directive does not apply to some “national security systems” or to some systems operated by the Defense Department.
In the directive, CISA defined “networked management interface” as “a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself..”
The agency said the directive’s requirement applies only to devices meeting both of the following criteria:
“Devices residing on or supporting Federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC)”; and
“Devices for which the management interfaces are using network protocols for remote management over public internet, including, but not limited to: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Teletype Network (Telnet), Trivial File Transfer Protocol (TFTP), Remote Desktop Protocol (RDP), Remote Login (rlogin), Remote Shell (RSH), Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and X11 (X Window System).”
CISA said the directive does not apply to “web applications and interfaces used for managing Cloud Service Provider (CSP) offerings including but not limited to, Application Programming Interfaces (APIs) or management portals.”
The agency said it will be keeping its eye on agency compliance. “As Federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required,” the agency said. “CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across Federal civilian agencies.”
