Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA’s advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.