CISA mandates security for Internet-exposed network devices in federal agencies.

CISA has issued a binding operational directive (BOD) ordering federal civilian agencies to secure misconfigured or Internet-exposed networking equipment within 14 days of discovery. The directive applies to networked devices with Internet-exposed management interfaces, such as routers, firewalls, proxies, and load balancers. Federal agencies have 14 days to either restrict access to the networking equipment's interface to the internal network or implement Zero Trust measures to enforce access control to the interface via a policy enforcement point separate from the interface itself. CISA will conduct scans to identify devices and interfaces falling within the directive's scope and provide technical expertise to help agencies secure devices.