Skip to main content


FedRAMP Guidance on BOD 23-02

June 16 | 2023

FedRAMP Guidance on BOD 23-02

The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) develops and oversees the implementation of “Binding Operational Directives” (BODs) and “Emergency Directives” (EDs). These directives require action on the part of certain federal agencies and cloud service providers (CSPs). FedRAMP works closely with the Joint Authorization Board (JAB) and DHS CISA to issue actions required and outlined in these BODs and EDs.

Binding Operational Directive 23-02

On June 13, 2023, DHS CISA issued Binding Operational Directive 23-02, “Mitigating the Risk from Internet-Exposed Management Interfaces”. This BOD “requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.”

FedRAMP Response

While there is no required action for FedRAMP commercial CSPs, FedRAMP recommends that CSPs review the content in Binding Operational Directive 23-02 and follow these best practices.

Please contact the PMO at with any questions.

Back to Blogs