This Directive requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices. Scope
For the purposes of this Directive, a “networked management interface” is defined as a dedicated device interface that is accessible over network protocols and is meant exclusively for authorized users to perform administrative activities on a device, a group of devices, or the network itself.
The requirements in this Directive apply only to devices meeting BOTH of the following criteria:
Devices residing on or supporting federal information systems and/or networks that belong to one of the following classes: routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC).
Devices for which the management interfaces are using network protocols for remote management over public internet, including, but not limited to: Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Teletype Network (Telnet), Trivial File Transfer Protocol (TFTP), Remote Desktop Protocol (RDP), Remote Login (rlogin), Remote Shell (RSH), Secure Shell (SSH), Server Message Block (SMB), Virtual Network Computing (VNC), and X11 (X Window System).
This Directive does NOT apply to web applications and interfaces used for managing Cloud Service Provider (CSP) offerings including but not limited to, Application Programming Interfaces (APIs) or management portals.
