Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

Binding Operational Directive 23-01 can help close a government security gap


The Cybersecurity & Infrastructure Security Agency (CISA) recently issued an advisory on a dozen new exploits and vulnerabilities affecting industrial control systems (ICS) from nine different manufacturers. The warning is the latest in a growing body of evidence that critical public infrastructure–things like the power grid, transportation systems and facilities, government buildings, and public safety organizations–will soon become the primary target of threat actors in an escalation of attacks against national economic interests. In fact, some observers believe a shift in strategies in the war between Russia and Ukraine is proof that such an escalation is well underway.

It’s hard to argue that threat actors are not becoming increasingly aggressive and willing to attack targets, even when there might be a human cost. Hospitals and healthcare services providers have seen a sharp increase in attacks over the last three years, and research suggests those attacks are associated with an increase in patient mortality. Even the U.S. Federal Reserve warns that attacks on industrial enterprises and infrastructure could impede economic activity and seriously undermine confidence and stability in national financial systems.

Setting a Good Example

And so, as attention turns toward the hardening of private and public infrastructure against cyberattacks, leaders in Washington, D.C. are trying to set a positive example by updating their own security policies. When the White House issued the Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021, it established the foundation for the government’s strategy to address the protection of a sprawling and complex federal IT infrastructure comprising hundreds of different agencies. Then in early March this year the White House published its National Cybersecurity Strategy to bring the issue into sharper focus.

The Cybersecurity & Infrastructure Security Agency (CISA) took a big step forward when it issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks.

But the work toward improving the federal government’s readiness and resilience against cyberthreats was underway before the release of the National Cybersecurity Strategy. In October of 2022 the Cybersecurity & Infrastructure Security Agency (CISA) took a big step forward when it issued Binding Operational Directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks.

Connected Device Visibility is Critical

BOD 23-01, which had a deadline of April 3, 2023, requires all federal civilian executive branch (FECB) agencies to establish the means for effecting “continuous and comprehensive asset visibility” as a first step in assessing and monitoring cyber risk. CISA did not identify penalties for missing the April 3 deadline, but there are ongoing reporting and improvement timelines to ensure asset inventories are up-to-date. The philosophy behind the directive is sound. Today’s IT estates are complex and include thousands of components operating on-premises and in the cloud. Servers, routers, switches, software, application, services, and all kinds of devices, many of which are practically invisible to traditional IT management systems.

This is especially true for connected devices, including the Internet of Things (IoT), Internet of Medical Things (IoMT), operational technology (OT), and more. And what BOD 23-01 does is acknowledge that, without a complete accounting of every single device that connects to the enterprise—expected or unexpected, and for however long it remains connected—each is a potential vector for attack. Also, when connected assets are unaccounted for, an organization’s configuration management database (CMDB) will be inaccurate, leading to other IT operations and security issues that can put the enterprise at risk. Ordr’s experience with connected device discovery illustrates the wide variety of unexpected devices that can be found operating in some enterprises alongside mission-critical equipment. Vending machines and building controls, Tesla cars and Kegerators, Alexas and Pelotons, all connected to the network and communicating out to the Internet, unmanaged and unknown to IT operations and security.

See IT, Protect IT

You can’t protect what you can’t see, and so device discovery, visibility, and monitoring is vital to maintaining security at a high level. Ordr is not only able to discover and monitor these devices in real-time, but the extensive Ordr Data Lake contains detailed profiles of millions of IoT, IoMT, and OT devices, identifying their purpose and operational profile. That enables security teams to identify devices with vulnerabilities, establish a risk score for every device operating in the network, detect when devices exhibit indicators of compromise, and automate policy creation to accelerate response and prevent attacks targeting connected devices or prevent lateral movement. These capabilities support BOD 23-01’s objective to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities… an important step to address current visibility challenges at the component, agency, and [federal civilian executive branch] enterprise level.”

These capabilities support BOD 23-01’s objective to “make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities… an important step to address current visibility challenges at the component, agency, and [federal civilian executive branch] enterprise level.”

It’s good that the U.S. federal government recognizes that maximizing the effectiveness of a cybersecurity program demands a full accounting of every device operating in the network. That is the foundational tenet to Ordr’s mission, and it has been embraced by our customers, including many of the world’s largest healthcare, financial, and manufacturing organizations. And for our customers in the federal government, they had a head start on meeting (and likely exceeding) requirements ahead of CISA’s April 3 deadline.

If your agency or organization recognizes that it has blind spots it needs to address to take a full inventory of every device it has connected to its network, give us a call. We can run a demonstration that can show you every connected device on the network. And with a complete accounting of your connected assets, you can build a plan to see, know, and secure your enterprise.

Identity is a foundational component of modern security models, allowing organizations to control the data or services a user or account should be able to access. The explosion of IoT, IoMT, OT and other connected devices introduces significant gaps in identity-based security while creating new challenges and posing questions:

What is an identity for these devices that do not inherently have what we think of as an identity? 

How can we close the gap and bring identity-based controls to these critical devices? 

This post looks deeper into the challenges, these questions, and how Ordr helps provide answers in a straightforward and automated way.

It’s the End of Identity as We Know It…and I Feel Fine?

There are several methods organizations use to establish and verify identity for their users and assets. Unfortunately, none of these methods work well for the new class of connected devices.

Traditional devices such as laptops and workstations can be associated with a specific user and can be reliably linked to that user’s identity. Security teams can also verify the identity of a device by installing certificates or using USB keys. When a high-value asset is accessed, multi-factor authentication mechanisms can be leveraged by sending the user a passcode via email or text to be provided for additional verification.

The new class of connected devices are rapidly increasing in numbers and can be found everywhere in enterprise environments. Connected devices include everything from consumer products and phones to printers and media displays. In industrial settings IIoT and OT devices span the range of sensors to the multi-million dollar equipment essential to manufacturing lines. In healthcare, IoMT includes a vast array of medical devices from health monitoring equipment to magnetic resonance imaging (MRI) scanners that are critical to delivering care and ensuring patient safety.

Connected devices are increasingly critical infrastructure in organizations across industries, yet these devices can’t be managed the same as traditional devices. The simple task of installing enterprise certificates or endpoint agents is virtually impossible since many of these devices run embedded operating systems or are agentless. Even if agents could be installed, the vast diversity of hardware and software variations of IoT devices makes it almost impossible for vendors to develop and support agents.

Connected devices are commonly found with software stacks from various sources layered on embedded and customized operating systems. For these devices, any tool that uses a map of the processes to perform behavioral analysis is virtually useless.

Integrated firmware running on connected devices typically prevents any new software from being installed to ensure security and device reliability. As an example, new software can’t be installed on a piece of medical equipment once it’s gone through FDA certification.

Multi-factor authentication is another non-starter for IoT. An infusion pump can’t be expected to receive and provide a passcode to verify its identity.

Bringing Ordr to the Chaos of IoT Identity

With all of these limitations, how is identity determined and used for connected devices? The best unique identifier (not identity) is a device MAC address or serial number. MAC addresses are at least trackable (although easily spoofable), but serial numbers are nearly impossible to track and manage.

Ordr takes a new approach that doesn’t require IT and security teams to manually track the endless minutia of device details or do anything to update or change devices. Instead, Ordr automatically and passively analyzes the behavior of each device and recognizes a device’s identity based on what it actually does (i.e., the device communication).

To illustrate, let’s look at a device that claims to be a printer. Does it act like a printer? How do we know how a printer should act?

To answer this a large number of printers must be studied to understand what printers normally do, the protocols they speak, destinations they connect with, packet patterns they exhibit, etc.

With sufficient sampling a baseline can be established and used to verify if a new “printer” behaves like all the other printers previously seen – if it walks and squawks like a printer, then it’s probably a printer.

It’s also important to understand normal behavior for a particular environment. It’s not enough to know if a printer is behaving within the norms of other printers – it’s essential to know if the printer is behaving like my other printers. Is it talking to the appropriate management server, using the appropriate network segments, and so on.

The combination of global and local insights into behavior gives a very reliable approach to understanding a device’s identity. Just as importantly, it is a passive, hands-off approach that doesn’t require more work from staff or to change anything on the device itself.

As a result, Ordr is able to easily establish identity and continuously monitor it throughout its life cycle. Reach out to us to learn more about how Ordr can help with identity and security for all your IoT, IoMT, OT and other connected devices.

Today, we announced our engagement with the  Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE). As the industry leader in  continuous discovery, device asset inventory visibility, and security of all connected devices, including unmanaged IoT, IoMT, and OT devices, Ordr will supply cybersecurity protection and resilience for the global defense industrial base (DIB) network of contractors, vendors, and suppliers.

This will help the DIB network of contractors, vendors, and suppliers prepare for their CMMC audit, reduce complexity, improve awareness, and accelerate the industry effort to secure the Federal “supply chain” by becoming more cyber resilient.

Who does CMMC apply to?
CMMC applies to ALL government contractors, primes and subs, who do business with the Department of Defense (DoD). This includes more than 300,000 organizations that will need to be certified. Previously, federal contractors were allowed to self-certify. With the inception of CMMC in 2020, defense contractors must now achieve certification via an accredited 3rd-party auditor in order to be awarded a defense contract.

When does CMMC go into effect?
On November 30, 2020, the DFAR 252.204-7012 made cybersecurity hygiene foundational to all acquisitions. Provisionally trained CMMC assessors are active as this activates the supply performance risk system. Request for Proposals (RFPs) will now include CMMC requirements of their contractors.

Why is CMMC being implemented?
Prior to CMMC, cyber security measures have failed to protect the United States supply chain. The NIST SP 800-171 security standard relies on organizations to self-assess their security posture and then report their compliance. Often self-assessment often is not top priority and does not offer any safe-guards to verify supply chain integrity. Compliance does not equal security, but financially motivated compliance can offer cybersecurity hygiene and corporate process. CMMC will serve as a verification tool to ensure appropriate cybersecurity practices are in place for the DIB network of contractors, vendors, and suppliers.

How do I achieve CMMC compliance?
All defense contractors are required to coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule their CMMC audit. These auditors will review the contractor’s security processes and practices. Based on the security controls in place and the contractor’s ability to demonstrate organizational and operational maturity, the contractor will be awarded a CMMC certification from Level 1 to Level 5 with a multitude of Practices (AKA Controls) in each level.  CMMC will require companies to have the certification to match the level required on the solicitation prior to be awarded the contract.


What is Controlled Unclassified Information (CUI) data?
The DoD defines Controlled Unclassified Information (CUI) as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Additional information on CUI is available in the DoD CUI memo and the National Archives and Records Administration’s CUI Registry. If your organization possesses CUI, you will likely need to achieve CMMC Level 3.

My Organization is a subcontractor on DoD contracts, do I need CMMC compliance?
Yes, CMMC applies to subcontractors. The level of certification your organization will need will depend upon the type and nature of the information you receive from the prime contractor.

Does my organization need one level of CMMC certification or can areas of our organization be certified at different CMMC levels?
According to the DoD, “When implementing CMMC, a DIB contractor can achieve a specific CMMC level for its entire enterprise network or for a particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.” Organizations can choose to achieve a base level of CMMC for their entire organization and be certified at higher levels for certain enclaves as contracts require.

For more information on how Ordr can help the DIB network of contractors, vendors, and suppliers meet 77 of the CMMC practices, visit our CMMC webpage or email us at info@ordr.net.