Qualys Responds to CISA Alert: Binding Operational Directive 23-02 

Kunal Modasiya

Last updated on: July 26, 2023

The latest Binding Operational Directive from the Cybersecurity and Infrastructure Security Agency (CISA) BOD 23-02 requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices. While this new mandate impacts agencies directly, it also impacts their supply chain partners as well. Here’s why and what Qualys is doing to help customers succeed with CISA. 

Read our last CISA Alert about BOD 23-01: Meeting and Exceeding CISA Requirements with Qualys.

What You Need to Know:

Binding Operational Directive 23-02, Mitigating The Risk From Internet-Exposed Management Interfaces, was released on June 13, 2023. The directive focuses on the criticality of inventorying, identifying, and managing digital assets to ensure better visibility and control over IT infrastructure. By adhering to this directive, federal agencies and organizations can mitigate vulnerabilities, respond promptly to security incidents, and maintain a robust security posture.

The directive includes the following criteria:

Agencies must take at least one of the following actions within 14 days of notification by CISA or a discovery by an agency of a networked management interface:

  • Remove the interface from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network)
  • Deploy capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

Agencies must also implement technical and/or management controls to ensure that all management interfaces on existing and newly added devices, as identified by this Directive, have at least one of the following protections in place:

  • The interface is removed from the internet by making it only accessible from an internal enterprise network (CISA recommends an isolated management network)
  • The interface is protected by capabilities, as part of a Zero Trust Architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself (preferred action).

Mitigating The Risk From Internet-Exposed Management Interfaces

The compulsory order entitled “Mitigating The Risk From Internet-Exposed Management Interfaces” puts in place a series of requirements and guidelines to help agencies bolster their cybersecurity practices by gaining improved visibility over their networks and endpoints. It also stresses the critical importance of implementing an effective asset management process across the inventorying, identifying, and managing of digital assets organization-wide. By implementing these practices, organizations can enhance their security posture, respond promptly to incidents, and mitigate potential vulnerabilities.

So, what does ‘good’ look like to CISA when it comes to reducing the attack surface created by insecure or misconfigured management interfaces?

1. Comprehensive Asset Inventory:

When it comes to BOD 23-02, it all starts with asset inventory. Specifically, the directive emphasizes the need to establish accurate and up-to-date inventories of digital assets. This includes an exhaustive understanding of devices, applications, and services within their IT infrastructure. By maintaining a comprehensive asset inventory, agencies can identify potential vulnerabilities, eliminate blind spots, and enhance overall security.

2. Vulnerability Management:

BOD 23-02 underscores the importance of proactive vulnerability management. Federal agencies are required to implement continuous vulnerability assessment practices to identify and address vulnerabilities promptly. By leveraging vulnerability scanning tools and employing a risk-based approach, agencies and organizations can prioritize their remediation efforts and reduce the risk of exploitation.

3. Incident Response Capabilities:

The directive also emphasizes the need to strengthen incident response capability in general. Timely detection, analysis, and response to security incidents are crucial in minimizing damage and mitigating risks. By implementing incident response procedures, agencies can effectively handle cyber incidents, reduce downtime, and maintain operational resilience.

4. Risk Prioritization and Compliance:

Risk prioritization and compliance management is also critical according to the directive. Organizations are encouraged to establish risk-based decision-making processes and allocate resources more efficiently. Furthermore, compliance with relevant cybersecurity frameworks and standards such as NIST, CIS, and CVE is vital to ensure a robust security posture.

How Qualys Helps Mitigate and Prioritize Risks for Rapid Response

The Qualys TruRisk Platform is built around one of the world’s most comprehensive vulnerability management capabilities with its’ own asset discovery & inventory, threat database, and now with natively integrated and continuous external attack surface monitoring, supporting both internal-known and unknown internet-connected assets. All these solutions are delivered through one platform and controlled with one dashboard.

In many ways, the Qualys TruRisk Platform was purpose-built to drive compliance with CISA BOD 23-02 before its’ inception. Here are just a few ways customers can leverage VMDR with TruRiskCyberSecurity Asset Management with External Attack Surface ManagementPatch Management, and more to meet this recent directive.  

Here’s how:  

1. Accurate and Real-Time Asset Inventory:

Cybersecurity Asset Management (CSAM) with External Attack Surface Management (EASM) helps organizations achieve a comprehensive and up-to-date inventory of their digital assets. It utilizes advanced discovery techniques to identify and track devices, applications, and services across the entire network infrastructure. This ensures a clear understanding of an organization’s asset landscape, eliminating blind spots and enhancing overall security.

CSAM with EASM includes dashboards that help organizations comply with BOD 23-02 with widgets providing immediate visibility to internet-facing assets and risky ports.

2. Continuous Vulnerability Assessment:

Pairing CSAM with VMDR’s continuous vulnerability assessment capabilities, organizations will be able to proactively identify and prioritize security vulnerabilities across their entire network, for internal as well as internet-facing assets. The solution automates vulnerability scanning, providing real-time insights into potential weaknesses. This empowers organizations to address vulnerabilities promptly, reducing the risk of exploitation and potential cyber incidents.

Unified CISA Dashboard with complete asset visibility of internal and external internet-facing assets, critical detections and threat intel.

3. Risk Prioritization and Compliance Management:

Qualys TruRisk streamlines the process of risk prioritization and compliance management. It offers comprehensive risk scoring and prioritization based on asset criticality, vulnerability severity, and potential impact. This enables organizations to allocate resources more efficiently and address high-priority risks more effectively. Better still, CSAM supports compliance frameworks such as NIST, CIS, and CVE, facilitating adherence to regulatory requirements.

Prioritize with TruRisk to narrow down on critical assets, vulnerabilities that have critical impact & focus remediation more efficiently.

4. Incident Response and Forensics Readiness:

In line with the directive’s emphasis on incident response capabilities, CSAM equips organizations with the necessary tools to detect, investigate, and respond to security incidents promptly. The solution captures extensive asset information, ensuring that agencies have the required data for forensic analysis and incident response efforts. This improves overall incident handling, reduces downtime, and aids in effective remediation.


BOD 23-02 establishes crucial requirements for federal agencies and organizations to enhance their cybersecurity posture. In this context, Qualys Cybersecurity Asset Management (CSAM) with External Attack Surface Management emerges as an invaluable solution, providing accurate asset visibility, continuous vulnerability assessment, risk prioritization, compliance management, and incident response capabilities. By leveraging CSAM with EASM, organizations can effectively meet the requirements of the directive, fortify their defenses, and ensure the protection of critical infrastructure and sensitive data.

To learn more about how to continuously discover your unknown, internet-facing assets and more effectively assess your risk posture, you can download the Qualys External Attack Surface Management Report for free.


Adam Slater, Senior Content Strategy Manager, Qualys

Share your Comments


Your email address will not be published. Required fields are marked *