In a bid to prevent threat actors from compromising agency networks, the Cybersecurity and Infrastructure Security Agency (CISA) issued a new directive in June ordering federal agencies to disconnect all networked management devices from the internet.

What is Binding Operational Directive 23-02? 

Binding Operational Directive 23-02 requires agencies to either make these devices accessible only via internal networks, or to introduce zero-trust capabilities that enforce access controls separate from the interface. 

Threat actors are known to target misconfigured and insecure network devices, and the risk of large-scale compromises are even greater for those that are connected to the internet.  

Devices covered by the directive are those that reside on or support information systems, which might include firewalls, switches and routers as well as load balancers, proxies, VPN concentrators and out of band server management interfaces. These devices connect to the internet and use network protocols for remote management.  

In the weeks following the announcement, concerns have been raised about the number of agencies found to be in violation of the directive. An investigation discovered at least 250 instances of web interfaces for hosts exposing network devices. Many of these were found to be running remote protocols including SSH and TELNET. 

At present, many federal agencies lack the resources and tools they need to effectively monitor their networks. And, as a consequence, they are unable to meet their security or compliance requirements and risk being unable to respond to emerging threats promptly. 

Implementing a Zero Trust Architecture can circumvent the requirement to disconnect from public internet 

As the directive states, disconnecting devices is not the only way to comply as protecting the interface with zero trust capabilities is also accepted. The zero trust approach is in fact the preferred option, which is in line with the current push for zero trust security across the government.  

However, ZT isn’t a quick solution for federal agencies, it requires a fundamental rethink of security architecture, and given the timescales for action in the directive, disconnecting devices from the internet might be an immediate action some agencies need to take.  

Under the zero trust approach, the directive requires agency administrators to be able to enforce access controls separate from the interface.  

Establishing zero trust relies upon a baseline level of protection being achieved. Auditing all network devices is needed to detect when network configurations drift from the desired state, and then remediating misconfigurations that make networks vulnerable to attacks. 

BOD 20-23 underpins the importance of implementing continuous assurance of network configuration posture 

When many systems in federal agencies were first developed, cybersecurity thinking still imagined data, infrastructure and users to be on one network where everything was trusted. Federal networks have become far more complex since their development and over time agencies have responded to increased risk, as CISA’s directive notes, by gaining better visibility of networks and improving endpoint detection and response.  

However, threat actors are now adjusting their tactics and targeting network devices that support underlying infrastructure. Devices with misconfigurations present grave risks to the federal enterprise. These misconfigured, or otherwise insecure, devices pose ever greater risk when accessible from the public internet. 

Being able to identify configuration drift is key and this requires monitoring every network device. To achieve this, agencies need to engage with tools, such as Nipper Enterprise, to automate this process. Where misconfigurations are detected, Nipper Enterprise produces risk-prioritized findings and remediation guidance, as well as evidence to support compliance assurance with trusted security policies and RMF controls. 

Preventing federal networks from being breached through insecure network devices is critical and disconnecting devices from public internet is one safe precaution. But leveraging automation tools to support configuration assurance and a ZTA helps ensure agencies can adapt to the evolving threat landscape in the long term.