The Cybersecurity and Infrastructure Security Agency’s (CISA) binding operational directive (BOD) issued this week is a “step in the right direction,” according to industry leaders, who are eager to see its effectiveness in protecting network management interfaces from the public-facing internet.
The Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces issued by CISA on June 13, “requires Federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery,” the agency said.
CISA said the directive “establishes core security actions to reduce cyber risk to the Federal Civilian Enterprise.”
The directive was issued in light of recent threat campaigns that “underscore the grave risk to the Federal enterprise posed by improperly configured network devices,” the agency said.
While there is much more to be done to address today’s ever-increasing cyber threats, industry leaders agree that the directive is a positive step forward.
“Reducing the attack surface is fundamental to secure environments,” said Matt McFadden, vice president for cyber at General Dynamics Information Technology (GDIT). “CISA’s directive aims to address the increasing threat posed by network devices with insecure or misconfigured management interfaces and mitigate the adversary’s ability to perform unauthorized administrative activities.”
“Agencies should continue to monitor devices connected directly to the public-facing internet,” he added. “This directive is another good step towards implementation of zero trust.”
Stephen Kovac, vice president and chief compliance officer at Zscaler, said the directive “clearly demonstrates the urgency and criticality for Federal civilian agencies to adopt zero trust architectures right now.”
Kovac pointed to recent research from Zscaler, which found that the dangers posed by threat actors are continuously evolving – 44 percent of cybersecurity professionals surveyed saw an increase in exploits targeting their business VPNs over the previous year.
“While removing networked management interfaces from the internet will initially reduce the attack surface, the only true solution is zero trust, as CISA and the National Cybersecurity Strategy advocate,” Kovac said.
“As CISA Director Jen Easterly stated, ‘When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.’ Zscaler secures 12 of 15 cabinet-level agencies, as well as hundreds of other agencies, along with state and local governments,” Kovac continued. “Federal civilian agencies under the directive and the government at large do not need to face this challenge alone. With CISA’s guidance and lessons learned from public and private industry, we can all work together to advance our cyber posture and protect our nation from adversaries.”
On the other hand, Gary Barlet, Federal Field CTO at Illumio, said that while CISA’s directive could go a long way in addressing cyber threats, “it lacks teeth.”
“CISA’s Binding Operational Directive is a step in the right direction to address current – and future – threats,” Barlet said. “Requiring agencies to remove specific network management interfaces from the public-facing internet or implement zero trust technologies that enforce access control to key systems forces federal civilian agencies to act quickly, though for some, it will be a challenge.”
“If agencies act on this effectively, this directive will go a long way in shutting down weak access points into enterprises. While the directive requires agencies to take these actions within 14 days of discovery, it lacks teeth,” he added. “To be prepared for future inevitable breaches and bolster national cyber resilience, CISA must follow through with closely monitoring agencies and ensuring they comply.”