Binding Operational Directive 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces

Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive (BOD) 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces. The BOD instructs federal agencies to reduce the attack surface created by insecure or misconfigured remote management interfaces exposed to the internet. While BODs are mandatory for federal agencies, all organizations – private, industry, and state, local, tribal and territorial (SLTT) governments – are strongly encouraged to review and implement recommendations from this guidance. This BOD is designed to address recently reported threat activity of actors evading detection by compromising improperly configured devices that support underlying network infrastructure.

This directive applies to dedicated remote management interfaces belonging to routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC) that are accessible over the internet. Specifically, the BOD mandates the removal of identified networked management interfaces from exposure to the internet or the protection of them with Zero-Trust capabilities that implement a policy enforcement point separate from the interface itself. Members are highlgy encouraged to have systems administrators review this BOD and address accordingly. Review Binding Operational Directive 23-02 at CISA.