CISA BOD 23-02 Compliance

In today's digital landscape, securing government information systems and networks from cyber threats is of utmost importance. To address this concern, the Cybersecurity and Infrastructure Security Agency (CISA) has recently released Binding Operational Directive 23-02 (BOD 23-02). This directive outlines the requirements for federal agencies to reduce the attack surface created by insecure or misconfigured management interfaces accessible via the public-facing internet. 

Zscaler can assist U.S. federal government IT leaders in implementing Zero Trust capabilities to comply with this directive. By leveraging Zscaler's Zero Trust Exchange and utilizing Zscaler Private Access (ZPA), agencies can enhance their network security, simplify access management, and effectively meet the requirements set forth by BOD 23-02. Let's dive in and explore how Zscaler can help federal agencies strengthen their cybersecurity posture.

The requirements in the Directive apply only to devices meeting BOTH of the following criteria:

1. Devices residing on or supporting federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces 
2. Devices for which the management interfaces are using network protocols for remote management over the public internet.

By not having internet facing management interfaces, organizations can begin to reduce the attack surface of their network and limit the potential of cyber attacks. CISA recommends management interfaces should be restricted to internal networks, secured VPN connections or the preferred method - deploy capabilities in alignment with a Zero Trust Architecture.

The first step in complying with BOD-23-02 is to remove the internet facing management interfaces or validate there aren’t any exposed. CISA will be scanning the agency's infrastructure for interfaces within scope of the BOD and providing them with their findings.  However, it is highly recommended for the agency to be  proactive  and scan their infrastructure as soon as possible.  Regular security assessments and vulnerability scans should always be conducted to identify potential security vulnerabilities.

If the agency has exposed management interfaces, doesn’t have a dedicated management network, or is using legacy VPNs to log on to their enterprise network to manage their infrastructure - it’s time to implement Zero Trust capabilities.

How can Zscaler help?

With Zscaler’s Zero Trust Exchange, users, devices and apps are not on the same network and there is no routable network between them. Removing the castle and moat architecture with VPN remote access eliminates or reduces the need for firewalls, VPN concentrators and routers that all can have management interfaces that are accessible via the public facing internet.

Zscaler Private Access (ZPA) can be used to manage network infrastructure by providing secure remote access to internal network devices, such as routers, switches, and firewalls. This can be done by configuring ZPA to allow remote access to the management interfaces of these devices, while keeping them hidden from the internet.

Using ZPA to manage network infrastructure is as simple as following these steps:

1. Identify the network devices that need to be managed remotely. 
2. Configure ZPA to allow remote access to the management interfaces of these devices. 
3. Configure the network devices to allow remote access. 
4. Connect to the network devices using ZPA. 
5. Manage the network devices remotely. 

Once the devices are configured for remote access and the ZPA policy is in place, authorized users can connect to the devices using the ZPA client. This provides a secure, encrypted connection to the management interface of the device, without exposing it to the internet. authorized users can then manage the network devices remotely, using the same tools and interfaces as if they were on the local network.

By using ZPA to manage network infrastructure, organizations can improve security and simplify access management. This can help to improve efficiency and reduce costs, while maintaining a high level of security, control over the network infrastructure, and comply with BOD 23-02.

ZPA is FedRAMP Moderate, FedRAMP JAB High and StateRAMP Authorized as well as DoD P-ATO at IL5. Visit our Federal page for more information on how Zscaler serves the Federal government including 12 of the 15 cabinet-level agencies.