Industry Topics

Achieve Compliance for CISA’s Binding Operational Directive 23-01 with BMC

2 minute read
Seth Paskin

The United States Cybersecurity and Infrastructure Security Agency (CISA) released the Binding Operational Directive 23-01, a compulsory directive to the federal, executive branch, departments, and agencies to safeguard federal information and information systems. Under the directive, agencies must have weekly automated asset discovery and vulnerability enumeration in place by April 3, 2023.

Federal agencies are embracing the challenge of managing and securing hardware and software assets across multi-cloud, on-premises, and mobile. This complexity comes with increased cybersecurity risk. One way organizations can manage this risk is through continuous and comprehensive asset visibility. Maintaining accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.

The new requirements

Binding Directive 23-01 focuses on two core areas:

  • Asset discovery as a building block of operational visibility, defined as an activity through which an organization identifies the network-addressable IP assets that reside on its networks and their associated IP addresses (hosts).
  • Vulnerability enumeration identifies and reports suspected vulnerabilities on those assets. It detects host attributes (e.g., operating systems, applications, open ports, etc.) and attempts to identify outdated software versions, missing updates, and misconfigurations. It validates compliance with or deviations from security policies by identifying host attributes and matching them with information on known vulnerabilities.

BMC answers the call

You can’t manage what you can’t see. Below are the ways that BMC Helix Discovery, a FedRAMP Moderate-certified, SaaS solution delivered on Amazon Web Services (AWS), can help you meet the Binding Operational Directive 23-01 requirements:

Requirement BMC Helix Discovery
Maintain an up-to-date inventory of networked assets Inventories networked hardware and software assets across cloud, hybrid, and on-premises environments. Adds the additional benefit of relationship/dependency mapping and service modeling.
Perform automated asset discovery every seven days Agentless discovery of assets with automated scheduling at any interval (hourly, daily, weekly, etc.)
Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices, every 14 days Completely catalogs asset configurations and profiles for vulnerability enumeration at every scan
Develop and maintain the operational capability for on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of CISA request and provide results within seven days Can be executed on-demand to meet CISA requests and immediately provides results
Perform the same type of vulnerability enumeration on mobile devices and other devices that reside outside of an agency’s on-premises networks Treats mobile devices and other offsite devices, including tablets, iOS and Android devices, the same as on-premises networked assets

BMC Helix Discovery provides real-time visibility into hardware and software assets as well as their relationships and service dependencies across on-premises and cloud environments. It is designed to handle the complexity of managing a wide spectrum of configurations, including physical and logical components. Learn more about what BMC Helix Discovery can do to help your agency meet CISA’s Binding Operational Directive 23-01 requirements. Reach out to federal@bmc.com, speak to your BMC Account Team, or visit www.bmc.com/discovery.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Brings the A-Game

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Seth Paskin

Seth Paskin is Director of Technical Marketing for the TrueSight portfolio. He has 20 years of IT industry experience with leading organizations such as BMC, Dell and Harte-Hanks. Seth has extensive experience in business intelligence and analytics solutions for IT, having designed and built solutions for enterprise customers using technologies such as Teradata, MSSQL, MySQL, JMP, Business Objects, Microsoft Reporting Services, Tableau, Qlik and most recently, Python Pandas.