Within the world of Cisco distribution, a challenge arises for partners catering to the distinct needs of the public sector. These partners understand all too well that their public sector customers are a breed apart, operating under a unique set of rules, laws, and directives. As they navigate the complex landscape of government regulations and cybersecurity, understanding Binding Operational Directives (BODs) becomes all the more crucial. In a recent webinar hosted by TD SYNNEX, federal leaders in the U.S. Navy and U.S. Citizenship and Immigration Services joined industry leaders to discuss the pivotal role of BODs in enhancing the cybersecurity framework of the federal government and introducing more Zero Trust solutions, and how collaboration can be a key to their effective employment.
Congress first granted the Department of Homeland Security (DHS) the ability to issue BODs in 2014, and over the last nine years, DHS’s Cybersecurity and Information Security Agency (CISA) has released 12 different BODs. The most recent, Mitigating the Risk from Internet-Exposed Management Interfaces, came out in June 2023. Paul Cunningham, Chief Technical Advisor, Federal, World Wide Technology (WWT), noted that although some consider BODs to be merely suggestions or advisories, “it’s something that every agency has to look at and say, ‘this is something that we have to develop.’” Shane Barney, Chief Information Security Officer, U.S. Citizenship and Immigration Services, agreed with Cunningham, adding, “What makes the BODs or just the binding directives unique and helpful, especially for a CISO, is that they’re law.” They serve as powerful instruments for standardizing the approach to information security, driving the government to be more responsive and vigilant.
While the panel stressed the importance of following BODs to maintain efficient cybersecurity practices, it also acknowledged the challenges they can sometimes create for agencies, especially in terms of time and resources, both of which many lack. Barney said for some, BODs can feel like unfunded mandates. “Some of the BODs themselves on the operational side are exceptionally difficult to do and very costly to the organization both in terms of resources needed, boots on the ground, as well as contract support vehicles, new software, or new tools,” he explained. Owing to the dynamic nature of cybersecurity, Barney said timelines for BOD implementation should remain aggressive, but he acknowledged that they sometimes add additional challenges to agencies already struggling to carry out a lot in a short period of time, especially those already lagging behind their counterparts.
David Voelker, Office of the Department of the Navy (DoN) CISO, Zero Trust Lead and Standardization Officer, Naval Information, advocated for collaboration, describing how coordination with large organizations can be a pivotal element in the successful implementation of BODs and Zero Trust architecture. Because of how intricate and multifaceted they are, BODs necessitate the input of diverse stakeholders, internally and externally, who bring their expertise to the table. Barney added that one of the great aspects of the BODS is the way they “drive conversation with senior leaderships about resources, gaps in our programs, and how to better align those resources and funding,” which leads to more methodical approaches to cybersecurity.
Cunningham emphasized viewing BODs as building blocks rather than mere compliance checkboxes. Collaboration is not just about adhering to directives but about collectively strengthening cybersecurity programs, sharing knowledge, and driving innovation across the entire government. The constant refinement of programs and optimizing the utility of tools necessitates a collective effort and a shared vision. When Barney reinforced the notion that BODs are law, he was conveying how they represent a binding force that calls for unity in standardization. The BODs are not just mandates but a shared commitment to a standardized approach to information security.
BODs also keep industry partners informed about what’s happening within the public sector, said Red Hat’s Chief Technology Officer for North America Public Sector, John Dvorak. “The standards provide us a path for development—where we’re going to invest our time, and how we’re going to implement products to bring back the government,” he explained. Without having to reach out and ask for more information about their needs and requirements, industry leaders can work on solutions that will help with the BODs and increasing cybersecurity measures.
Binding Operational Directives go beyond bureaucratic protocols, to serve as guiding principles for building robust cybersecurity operations. Over the past nine years, CISA has developed BODs, each of which have fortified information security practices. While these directives are powerful tools for standardization, they also pose challenges, particularly in the context of the limited time and resources within agencies that are already challenged to keep pace with the dynamic cybersecurity landscape. Through collaboration between CISOs, CIOs, senior leaders, and industry partners, agencies can overcome these challenges, and deftly navigate the complex terrain of federal IT security to safeguard the nation’s digital assets. Get the full scoop from the Directives for Success: Implementing BODs webinar here.
