Binding Operational Directives

The Cybersecurity & Infrastructure Security Agency (CISA) develops and oversees the implementation of binding operational directives (BODs). These directives require action on the part of certain federal agencies in the civilian Executive Branch.

Lucidum can help you easily respond to BODs.

BOD 23-01 #

CISA BOD 23-01 includes the following requirements:

Requirement

Lucidum Response

Perform automated asset discovery every 7 days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency.

  1. Configure Lucidum connectors for endpoint management, endpoint protection, mobile device management, directory services, DHCP, VPN, cloud services (AWS, Azure, Google Cloud, Oracle Cloud)

  2. Query Lucidum for all assets

  3. Each week, query Lucidum for all new assets from the last seven days

Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days

  1. Configure one or more Lucidum connectors for vulnerability tools (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. Query Lucidum for all assets with no vulnerability scanning. Remediate these assets

  3. Query Lucidum for all assets where vulnerabilities exist

  4. Query Lucidum for all assets where vulnerabilities exist and vulnerabilities have not been mitigated. Remediate those assets

Where the capability is available, agencies must perform the same type of vulnerability enumeration on mobile devices (e.g., iOS and Android) and other devices that reside outside of agency on-premises networks.

  1. Configure one or more Lucidum connectors for mobile device management (for example, Addigy, Citrix Endpoint, Jamf Pro, JumpCloud, Kandji)

  2. Queries above will include mobile devices.

All vulnerability detection signatures used must be updated at an interval no greater than 24 hours from the last vendor-released signature update.

Lucidum ingests data from your environment at least once every 24 hours. This allows you to monitor compliance and ensure that vulnerability tools are kept up-to-date.

Initiate automated ingestion of vulnerability enumeration results (i.e., detected vulnerabilities) into the CDM Agency Dashboard within 72 hours of discovery completion (or initiation of a new discovery cycle if previous full discovery has not been completed).

Export query results to CSV format

Connectors #

Connectors allow Lucidum to ingest data from your environment and discover, identify, and classify assets, data, and users.

Lucidum includes pre-built connectors for the most commonly used solutions.

Perform Automated Asset Discovery #

To find all the assets in your network, including nomadic/roaming devices and mobile devices:

  1. Lucidum recommends you configure Lucidum connectors for:

    • The Endpoint Management solutions in your environment (for example, Jamf, Intune, Citrix Endpoint Management, Symantec Endpoint Management, Hexnode)

    • The Endpoint Protection solutions in your environment (for example, Trellix Endpoint Security, Symantec Endpoint Protection, SentinelOne, Crowdstrike Falcon, Microsoft Defender for Endpoint )

    • The Mobile Device Management solutions in your environment (for example, Addigy, Citrix Endpoint, Jamf Pro, Kandji)

    • The directory solutions in your environment (for example, Azure AD, Microsoft AD, Jump Cloud, PingOne, OpenLDAP,)

    • The DHCP solutions in your environment (for example, Infoblox, Efficient IP, BlueCat)

    • The VPN solutions in your environment (for example, Cisco AnyConnect, FortiClient, Palo Alto VPN, Citrix Gateway, Zscaler Private Access)

    • The cloud solutions in your environment (for example, AWS, Azure, Google Cloud, Oracle Cloud)

  2. After Lucidum ingests data from these systems, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

  3. You can then create queries to find a list of all assets in your environment.

    • In this case, our query is as simple as “Lucidum Asset Name exists”, meaning Lucidum has found the asset.

  4. The query results display all the assets in your environment.

  5. You can easily filter and sort the query results and create dashboards.

    asset_overview_os.png
  6. To see new assets that have been added in the last week:

    • You can create a query “Lucidum Asset Name exists AND First Time Seen was within the past 7 days”.

    assets_last_7_days.png

Initiate Vulnerability Enumeration #

To audit the vulnerabilities on all assets in your environment and find unmitigated vulnerabilities on all assets in your environment:

  1. In addition to the Lucidum connectors in the previous section, you must configure Lucidum connectors for:

    • One or more vulnerability Management solutions (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

  2. After Lucidum ingests data from these systems, you can then create queries and dashboards that display information about vulnerabilities.

  3. To find assets without vulnerability scanning, you can write a query like:

    • Lucidum Asset Name exists AND Vuln Scan is not Yes.

    assets_w_no_vuln_scans.png
  4. You can then remediate by adding vulnerability scanning to these assets without vulnerability scanning.

  5. To see each asset that has vulnerabilities, you can write a query like:

    • Lucidum Asset Name exists AND CVE list exists OR Vulnerabilities exists.

    assets_w_vulns.png

    You can also create dashboards that display information about CVEs:

    info_about_cves.png
  6. To find any assets with unmitigated vulnerabilities, you can write a query like:

    • Lucidum Asset Name exists AND CVE list exists OR Vulnerabilities exist AND Mitigated Vulns are less than 1.

    unmitigated_vulns.png
  7. You can then take steps to mitigate those vulnerabilities on those assets.

Ingestion of Vulnerability Results #

When you have added vulnerability scanning to all assets in your environment and remediated all vulnerabilities, you can again write the query:

  • Lucidum Asset Name exists AND CVE list exists OR Vulnerabilities exist

You can then export the results of that query to a CSV file for upload to the CDM Agency Dashboard.

To do this:

  1. Write the query “Lucidum Asset Name exists AND CVE list exists OR Vulnerabilities exists”.

    cve_query.png
  2. Click Show Result.

    assets_w_vulns.png
  3. Click the in the lower right and select Export Result.

  4. Choose the fields to include in the export.

    • To delete a field, click on the x

    • To add a field, click anywhere in the box of fields and select from the list of available fields.

  5. Click Confirm.

  6. The query results are saved as a CSV file.