"CISA Directs Federal Agencies to Secure Internet-Exposed Management Interfaces"

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive (BOD) 23-02, "Mitigating the Risk from Internet-Exposed Management Interfaces," requiring federal civilian agencies to remove specific networked management interfaces from the public-facing Internet or implement Zero Trust Architecture (ZTA) capabilities that enforce access control to the interface within 14 days of discovery. Recent threat campaigns highlight the risk posed by improperly configured network devices to the federal enterprise. As part of CISA and the broad US government's effort to move the federal civilian enterprise to a more secure posture, this Directive will further reduce the attack surface of the federal government networks. According to Jen Easterly, director of CISA, threat actors too often can use network devices to get unrestricted access to organizational networks, resulting in widespread compromise. An important step in reducing risk to the federal civilian enterprise is requiring the controls and mitigations outlined in this Directive. This article continues to discuss the BOD issued by CISA on mitigating the risk posed by Internet-exposed management interfaces.

CISA reports "CISA Directs Federal Agencies to Secure Internet-Exposed Management Interfaces"