From time to time, new directives and requirements come up in the federal space that has ripple effects throughout the cybersecurity landscape. Recently, FedRAMP raised a note that a new Binding Operational Directive has shifted some requirements for agencies and contractors. While this doesn’t seem to directly impact the program, it is significant enough for the FedRAMP website to note for the future. 

Here, we’ll discuss Binding Operational Directive 23-02 and what it means for government agencies and their partners. 

What Is a Binding Operational Directive?

A Binding Operational Directive (BOD) is an order issued by the United States Department of Homeland Security (DHS) to establish necessary policies, principles, standards, and guidelines for securing federal information systems.

The Cybersecurity and Infrastructure Security Agency (CISA) issues BODs to federal departments and agencies. The orders often provide specific technical solutions or procedures to address known or emerging cybersecurity risks and vulnerabilities. 

These directives are part of the government’s plan to maintain up-to-date cybersecurity standards and defenses while managing risk. These are typically restricted to federal agencies, typically those in the executive branch. 

What is BOD 23-02?

Binding Operational Directive 23-02 focuses on implementing additional security and administrative practices around Internet-exposed management interfaces.

Quoting directly from the document, it states that “This Directive requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.”

What Is an “Internet-Exposed Management Interface”?

Internet-exposed management interfaces refer to the administrative access points for devices, systems, or platforms accessible over the Internet. Interfaces are used to manage network hardware and software from a remote location over a local or public network.

Some examples include:

• Web-based Management Consoles: Many devices and platforms offer web-based interfaces for administration. This includes CSPs like AWS or Microsoft. 
• Secure Shell (SSH): SSH, and its antecedent Transport Layer Security (TLS), are used to create secure connections between different computers on a network or over the public Internet.
• Network Device Interfaces: Devices like routers and firewalls have hardware and software interfaces allowing them to talk to one another.
• Application Programming Interfaces (APIs): APIs are used to integrate code with an underlying infrastructure to develop apps and other frontend services for end users. 

While these interfaces provide necessary access for management purposes, they pose a significant security risk if they’re improperly secured and exposed to the Internet. Unauthorized individuals could potentially gain access, leading to data breaches, system disruptions, or the spread of malware.

To mitigate such risks, these interfaces should be secured with strong authentication mechanisms and encryption and, ideally, should not be directly exposed to the Internet whenever possible. Instead, secure methods such as Virtual Private Networks (VPN), jump servers, or bastion hosts should be used to provide controlled access. Regular audits and monitoring can help ensure these controls remain effective.

According to the BOD, this particular change in requirements only applies on two occasions:

• Devices supporting federal information systems, including common network technologies like routers, switches, firewalls, VPNs, proxies, load balancers, and out-of-band server management interfaces.
• Devices involved in managing or operating these resources over public internet protocols, including protocols like HTTP, HTTPS, Telnet, FTP, RDP, SSH, SMB, and X11. 

Following these situations, organizations are expected to take the following actions:

• Within 14 days of notification by CISA regarding the scope of their obligations, organizations must remove any covered interfaces from the Internet by making them only accessible from an internal enterprise network and deploy capabilities that enforce access control through specific policy management tools that exist separately from the interface.
• Additionally, organizations will implement technical and management controls to ensure that all management interfaces on existing and newly added devices have at least one of the following: removal from public Internet connectivity or protection behind specific access control policies.

Additionally, CISA will take the following actions: 

• Scan for devices and interfaces in the scope of this Directive and notify agencies of all findings.
• Provide a reporting interface and standard remediation plan templates if remediation efforts exceed required timeframes.
• Engage the organization to review status and provide technical expertise for hardening specific devices, as requested and appropriate. Additionally, CISA will engage organizational CIOs, CISOs, and SAORMs throughout the escalation process, if necessary.
• Review and update this Directive as needed to reflect changes in the general cybersecurity landscape within two years.
• Provide additional guidance to agencies via the CISA website, through updates to this Directive, and individual engagements upon request.
  
• Submit a report on the status of the Federal Civilian Executive Branch (FCEB), pertaining to their compliance with this Directive, to the Secretary of DHS and the Director of OMB within six months.

How Does BOD 23-02 Impact FedRAMP?

Per the FedRAMP website, there are no required changes to FedRAMP compliance standards. However, it is recommended that all CSPs falling under FedRAMP review and implement these requirements with the idea that they will most likely impact provider security soon. 

Stay Prepared for Changes to National Cybersecurity with Lazarus Alliance

Are you currently FedRAMP Authorized and worried about the evolving regulatory landscape? Trust Lazarus Alliance to make sure you know what it takes to maintain compliance.