The Cybersecurity and Infrastructure Security Agency (CISA)
issued BOD 23-1 to enhance visibility into agency assets and vulnerabilities. This measure is intended to support CISA’s efforts to effectively manage cybersecurity for the Federal Executive Branch (FECB) enterprise. CISA has stated that “comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.”
The BOD requires Federal Agencies to perform automated asset discovery every 7 days and vulnerability enumeration every 14 days. Due to technical limitations, legacy scanning tools cannot support agencies’ efforts to adhere to this directive. These tools take several days to perform a scan that reaches all network endpoints. This also assumes the organization fully understands their IP address space, both IPv4 and IPv6. Also, they can allow scans through firewalls
or deploy probes, if necessary, onto air-gapped environments to reach areas of the network separated by administrative boundaries.