How Do Recent CISA Directives Affect Private Firms?Complying with BOD 23-01 mandates can help prevent security breaches, compliance fines, and litigation damages
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published the Binding Operational Directive (BOD) 23-01 that requires U.S. federal agencies to make measurable progress toward enhancing visibility into asset discovery and vulnerability. This directive includes several requirements that may not be fully addressed by vulnerability management or endpoint detection and response (EDR/XDR) solutions. Moreover, while many private sector firms may believe BOD 23-01 is only relevant U.S. federal agencies, that might not be true for the following reasons:
See Also: Threat Horizons Report
- BOD 23-01 extends Executive Order 14028 (May 2021), which applies to any firm, large or small, in the U.S. or abroad, that conducts business with federal agencies.
- NIST guidelines (Cybersecurity Framework, Zero Trust Architecture, etc.) are relevant to meeting these new mandates. Firms that underscore Written Information Security Programs (WISPs). using NIST (or similar, such as CIS) could fail audits for non-compliance.
- Firms using NIST (or CIS, ENISA, etc.) that do not comply could face expensive litigation and brand damage in the event of a breach, as prosecutors will imply that these firms did not employ the latest best practice recommendations.
- CISA advises that any organization committed to improving cybersecurity maturity and reducing risks should consider implementing BOD 23-01 as it offers thoroughly researched best practices to ensure compliance and mitigate breaches.
CISA Director Jen Easterly recently said, “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
Leading analysts and industry experts agree that misconfigurations and mistakes are leading causes for security breaches and compliance failures, and BOD-23-01 requires addressing these potential issues. Qualys Policy Compliance (PC) includes 850 preconfigured policies, over 19,000 controls, 350 technologies, and 100 supported regulations and frameworks. A few relevant Qualys PC capabilities that can help you comply with BD 23-01 include:
- DISA STIGs library content: Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA). Having this capability helps ensure best practice compliance.
- Expanded control library: PC provides 19K controls to ensure broader support to comply with PCI DSS 4.0, new State Civil Codes such as CCPA, GDPR Availability Breach requirements, and new NIST guidelines.
- Mandate-based reports: best practices to meet compliance mandates include the initiation of robust reports. Having this capability ensures audit-readiness and full compliance.
- Auto-discovery of middleware: most compliance mandates include the ability to initiate on-demand asset discovery within short timeframes. Organizations are advised to comply to ensure cybersecurity best practices and audit-readiness.
- Vendor hardening guidelines: the intent of many compliance mandates is to reduce attack surfaces and risks. Cybersecurity best practices to achieve this include hardening, and proper guidelines improve implementation and reduce efforts.
- Advanced reporting and customized dashboards: this ensures full audit-readiness by reducing time to generate custom reports.
- Remediation: a key intent for many compliance mandates is to address outdated software versions, missing updates, and misconfigurations. Remediating these compliance issues improves cybersecurity best practice maturity.
- MITRE ATT&CK framework: nearly all auditors view the MITRE framework as an important resource to reduce attack surfaces and ensure compliance.
- FedRAMP Authorized: PC ensures API integration and full feature support for one of the only FedRAMP authorized comprehensive security platforms. This also improves audit credibility and readiness.
Qualys Policy Compliance adds a critical layer to your enterprise security stack to help prevent issues that can lead to serious consequences. Qualys PC can augment Qualys VMDR or other vulnerability management solutions by automating the labor-intensive process of assessing security configurations, settings, and controls with a single cloud solution, multiple sensors, robust policy library, and seamless integration.
With the Qualys Cloud Platform, you can easily deploy Qualys PC across almost any endpoint or operating system. You can display security configuration issues accurately on a single pane of glass to afford continuous visibility of compliance and security risks. Compliance management workflows allow tracking of exceptions to demonstrate a repeatable and auditable policy management process. You can also customize comprehensive reports to document progress and compliance.
A recent Qualys white paper titled Preventing Security and Policy Compliance Failures offers additional insights and best practice recommendations on this topic that can help ensure compliance with dozens of regulatory mandates. CLICK HERE to download your complimentary copy.