Federal agencies usually try to comply with these directives. But these BODs aren’t actually binding, and some government watchdogs have found a lack of full compliance.
DHS has been using these directives for seven years, telling agencies to take steps like ordering the removal of anti-virus products made by Russia-headquartered Kaspersky and responding to the biggest software vulnerabilities in the news headlines.
Sometimes these BODs work but other times they don’t. Paradoxically, perhaps, both were in evidence when DHS’s Cybersecurity and Information Security Agency announced last month that an unnamed federal agency had suffered a breach at the hands of Iranian hackers — who penetrated its networks via a vulnerability that CISA had ordered them to fix.
- The Cybersecurity 202 reported that the agency was the U.S. Merit Systems Protection Board.
- The hackers exploited a vulnerability in the ubiquitous software tool log4j, one that potentially affected hundreds of millions of devices worldwide.
- CISA had issued one of the orders — a so-called “binding operational directive” — last year to shore up log4j vulnerabilities.
- It gave agencies deadlines in December, but according to CISA’s alert, the hackers accessed the agency as early as February of this year — well after agencies should have completed the directive’s work.
“We saw agencies, and really across the community, taking extraordinary action in quickly identifying and mitigating vulnerable devices or products running the relevant versions of log4j,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told me. “As our director and others have noted, the prevalence of devices running vulnerable versions of log4j is extensive. So it’s going to be a long-term effort to get the number of vulnerable devices down to, or even near, zero.”
Congress gave DHS the authority to issue BODs in 2014. In 2015, Congress gave DHS another kind of authority to issue “emergency directives.” The department has grown increasingly willing to issue these directives.
- From 2015 to 2018, the department issued or updated seven of them, collectively.
- From 2019 to now, the department issued or updated 14 of them.
Even though agencies don’t fully comply with BODs, that doesn’t mean DHS is powerless, Goldstein said.
“Because they are binding, we are able to work closely with agencies at an operational level,” he said. “Agencies understand that these are required actions, but also if agencies are not able to complete required actions in the allotted time frame, we are able to rapidly escalate to agency senior leadership and work closely with our partners at OMB [the Office of Management and Budget] to ensure that the importance of these steps are reflected at the leadership.”
Additionally: “It has never been the case, at least in my two years in this role, that an agency has not accepted the validity or binding nature of these directives,” Goldstein said.
When DHS has seen agencies struggling to complete a directive, it’s been because of money, personnel or technical limitations, Goldstein said. Also, some directives are by their very nature not meant to be completed all at once. For example, one directive is a running, updated list of known, exploited vulnerabilities that agencies need to remediate.
Gary Barlet, a former chief information officer…
Read More: BODs: Hot or not? – The Washington Post
