On June 13, 2023, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. The directive requires federal civilian executive-branch agencies to adhere to two primary actions:
- Within 14 days of notification by CISA or discovery by an agency of a networked management interface, either: (a) remove the interface from the Internet, or (b) deploy capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself.
- Implement technical and management controls to ensure that all management interfaces on existing and newly added devices have one of the protective measures implemented as discussed in action 1 above.
The scope of the directive covers dedicated device interfaces that are accessible over network protocols and are meant exclusively for administrative activities on a device, a group of devices, or the network itself. Examples of classes of devices in scope include routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out-of-band server management interfaces using network protocols such as HTTP, HTTPS, FTP, SNMP, Telnet TFTP, TDP, rlogin, RSH, SSH, SMB, VNC, and X Window Systems.
Adversary tactics and techniques are dictating the need for the new directive as these interfaces are being continuously monitored and attacked.
Qualys Cloud Platform
The Qualys Cloud Platform is a comprehensive offering that includes asset inventory with external attack surface visibility, vulnerability risk and remediation management, and policy compliance management that federal agencies require as the foundation for their cybersecurity programs. Our integrated platform includes all the critical security and compliance applications needed to address Executive Orders and Binding Operational Directives, including EO14028 and BOD 23-01/02, and aligns with NIST 800-53 v5 standards. The Qualys Cloud Platform is also on the Approved Products List for the General Services Administration’s (GSA) Continuous Diagnostics and Mitigation (CDM) program.
Qualys is fully committed to the Federal mission, and the Qualys Cloud Platform received a FedRAMP Authorization to Operate (ATO) at the Moderate Impact Level in 2016. Qualys has also launched the Qualys GovCloud Platform, which offers the only FedRAMP Ready at the High impact level platform for vulnerability and patch management that can meet Executive Orders and NIST compliance comprehensively. You can read more about Qualys GovCloud here.
Leveraging Qualys Solutions to Identify Internet-Exposed Administrative Interfaces
While the CISA directive is straightforward and simple in design, being able to detect all Internet-exposed administrative endpoints quickly and routinely is no easy task, especially as those endpoints can blend in with other HTTPS webpages, can be deployed on non-standard ports, or are part of an agency’s cloud environment and exposed via a cloud service provider’s IP address space. Dealing with these complexities requires a multi-vector and flexible approach that only Qualys can deliver from its FedRAMP-authorized platform.
How Qualys Helps Mitigate and Prioritize Risks for Rapid Response
The Qualys TruRisk Platform is built around one of the world’s most comprehensive vulnerability management capabilities with its own asset discovery and inventory, threat database, and natively integrated and continuous external attack surface monitoring, which supports both internally-known and unknown Internet-connected assets. These solutions are delivered through one platform and controlled with one dashboard and agent.
The Qualys TruRisk Platform was purpose-built to drive compliance with CISA BOD 23-02 even before its inception.
Accurate and Real-Time Asset Inventory:
Qualys CyberSecurity Asset Management (CSAM) with External Attack Surface Management (EASM) helps organizations achieve a comprehensive and up-to-date inventory of digital assets. It utilizes advanced discovery techniques to identify and track devices, applications, and services across the entire network infrastructure. This ensures a clear understanding of an organization’s asset landscape, eliminating blind spots and enhancing overall security.
CSAM with EASM includes dashboards that help organizations comply with BOD 23-02 with widgets providing immediate visibility to Internet-facing assets and risky ports.
Continuous Vulnerability Assessment:
By Pairing Qualys CSAM with Qualys VMDR’s continuous vulnerability assessment capabilities, organizations will be able to proactively identify and prioritize security vulnerabilities across their entire network, for internal as well as Internet-facing assets. The solution automates vulnerability scanning and provides real-time insights into potential weaknesses. This empowers organizations to address vulnerabilities promptly, which reduces the risk of exploitation and potential cyber incidents. Federal agencies can also set alerts that trigger when a new Internet-facing administrative interface is discovered, thereby notifying cyber responders in real time of the exposure.
Risk Prioritization and Compliance Management:
Qualys TruRisk streamlines the process of risk prioritization and compliance management. It offers comprehensive risk scoring and prioritization based on asset criticality, vulnerability severity, and potential impact. This enables organizations to allocate resources more efficiently and address high-priority risks more effectively. Better still, CSAM supports compliance frameworks such as NIST, CIS, and CVE, facilitating adherence to regulatory requirements.
Incident Response and Forensics Readiness:
In line with the directive’s emphasis on incident response capabilities, CSAM equips organizations with the necessary tools to detect, investigate, and respond to security incidents promptly. The solution captures extensive asset information, ensuring that agencies have the required data for forensic analysis and incident response efforts. This improves overall incident handling, reduces downtime, and aids in effective remediation.
The Background section of BOD 23-02 states that “Inadequate security, misconfigurations, and out-of-date software make these devices more vulnerable to exploitation.” Unlike most other solutions that offer basic security configuration assessments, Qualys Policy Compliance (PC) helps you prioritize misconfigurations based on ransomware risks, MITRE ATT&CK techniques, compliance objectives, and asset criticality. Qualys PC also provides a centralized, interactive console for specifying the baseline standards required for different sets of hosts.
Qualys PC uniquely allows you to discover unknown middleware, databases, and out-of-date software, resulting in configuration risk and compliance improvements of 30 percent or more. By also automating discovery for operating systems, network devices, and applications, Qualys PC lets you identify issues quickly to prevent configuration drift. With Qualys PC, you can prioritize and track remediation and exceptions while demonstrating a repeatable and auditable process for CISA compliance management. Qualys PC’s automated remediation provides an average 30-day reduction in misconfiguration remediation and can result in up to 98 percent time savings and hundreds of thousands in cost reduction.
Robust Discovery Within Web Applications
By leveraging the power of Qualys Web Application Scanning (WAS), organizations can identify administrative interfaces, not only at the top level of applications but on non-standard ports or several layers deep into these applications. Qualys WAS offers a robust solution that goes well beyond surface-level assessments, penetrating even the most advanced frameworks to expose vulnerabilities, untangle misconfigurations, and unmask outdated software to ensure interfaces are secure from cyberattacks. Furthermore, the seamless integration of Qualys EASM with Qualys WAS enables swift incorporation of forgotten web applications into the scanning inventory, facilitating prompt assessments and ensuring steadfast adherence to the rigorous standards required by CISA BOD 23-02.
BOD 23-02 establishes crucial requirements for federal agencies and organizations to enhance their cybersecurity posture. The Qualys Cloud Platform offers several apps that address many of the requirements outlined in both BOD 23-01 and 23-02 by providing accurate asset visibility, continuous vulnerability assessment, risk prioritization, policy compliance, and incident response capabilities. With Qualys, organizations can effectively meet the requirements of both directives while ensuring the protection of critical infrastructure and sensitive data.
On July 19, Qualys will host a webinar for our government partners and customers to discuss how to leverage our solutions to meet CISA Directive 23-01 and 02, along with best practices for reducing your external attack surface. Visit Qualys.com for more information.
Try the Qualys Cloud Platform today at no cost.
- Kunal Modasiya, Vice President, Product Management, CyberSecurity Asset Management, Qualys
- Bill Reed, Product Marketing, Qualys
- Pablo Quiroga, Director of Product Management, Qualys
- Adam Slater, Senior Content Strategy Manager, Qualys
- John Delaroderie, Director Product Management Web App Security, Qualys