{"id":20889,"date":"2023-07-13T08:01:38","date_gmt":"2023-07-13T08:01:38","guid":{"rendered":"https:\/\/www.realvnc.com\/en\/?post_type=blog&p=20889"},"modified":"2026-04-13T10:44:26","modified_gmt":"2026-04-13T09:44:26","slug":"binding-operational-directive-23-02","status":"publish","type":"blog","link":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/","title":{"rendered":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 23-02 (BOD 23-02): Mitigating the Risk from Internet-Exposed Management Interfaces<\/em> \u2013 a directive aimed at securing both network management devices<\/a> and device management interfaces (e.g., firewalls, routers, VPNs, etc.) and any device that can be remotely managed using a variety of internal enterprise network protocols including hypertext transfer protocol (HTTP), file transfer protocol (FTP), SSH, SMB, and Remote Desktop Protocol (RDP).<\/p>\n

While BOD 23-02 is mandatory for federal civilian agencies, CISA has strongly encouraged private sector organizations to follow the same guidance. The risks created by internet-exposed management interfaces are not unique to government environments, and the directive reflects broader cybersecurity best practices that apply to any enterprise network.<\/p>\n

Understanding CISA BOD 23-02<\/h2>\n

The CISA BOD 23-02 directive mandates that federal agencies and sub-agencies make applicable interfaces across federal information systems \u2013 whether internally discovered or \u201cwithin 14 days of notification by CISA\u201d \u2013 only accessible internally or enforce access controls where a policy enforcement point is established from a separate device (a basic tenet of Zero Trust architecture capabilities).<\/p>\n

The directive applies specifically to dedicated device interfaces used for administrative access and requires that they be removed from the public facing internet or protected through a policy enforcement point separate from the system being accessed.<\/p>\n

CISA, the federal infrastructure security agency, which is part of the Department of Homeland Security, also clarified that they planned to scan for devices and interfaces as part of ongoing asset management efforts to identify devices in scope of the Directive and notify agencies of all findings. This includes identifying newly added devices and devices residing outside expected network boundaries, with agencies expected to maintain visibility through a centralized reporting interface.<\/p>\n

Not more than two weeks later, an analysis of more than 50 federal civilian executive branch agencies was conducted by Internet threat-hunting vendor Censys.<\/a> In total, Censys found over 250 instances<\/em> of \u201cweb interfaces for hosts exposing network appliances, many of which were running remote protocols.\u201d<\/p>\n

How Exposed Interfaces Expand Your Attack Surface<\/h2>\n

The analysis definitely confirms CISA’s worst fears: that, despite a belief that an agency’s enterprise network is secure<\/a>, there are plenty of exposed ports tied to misconfigured management interfaces, which provide threat actors with management communication protocols used to perform administrative activities that can potentially be misused for malicious purposes.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Scope\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The attack surface created by these exposures often includes legacy services such as simple network management protocol or trivial file transfer protocol, which were never designed to be safely accessible over modern networks.<\/p>\n

Securing Network Devices and Network Infrastructure<\/h3>\n

So, what should organizations in the private sector take away from this directive and subsequent risk analysis? Three things come to mind:<\/p>\n

1. Any Kind of Remote Access Can Be a Risk<\/h4>\n

While we spend a lot of time on this blog talking mostly about remote access<\/a> from an authorized user \u201cremotely accessing a desktop\u201d perspective, CISA’s list of protocols in the directive is rather extensive and aligns with the long list of examples found within two Initial Access techniques from the MITRE ATT&CK Framework: Exploit Public-Facing Application<\/a> and External Remote Access<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"MITRA\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Beyond RDP, services such as virtual network computing, remote login, and even legacy teletype network access methods continue to appear in real-world environments, increasing the likelihood of exploitation.<\/p>\n

CISA does mention a number of remote desktop<\/a>-type protocols in their directive as well, furthering the notion that this kind of access remains a risk.<\/p>\n

2. You Have More Present Risk Than You Think<\/h4>\n

The Censys analysis found an average of five interfaces per agency that met the Directive’s criteria. Some of them were even using the Windows SMB protocol (meaning, in theory, an external machine could map a drive to a Windows share at the exposed IP address).<\/p>\n

In many environments, exposed access also extends to load balancers, application programming interfaces, and management portals that were never intended to be reachable externally.<\/p>\n

Unless your organization does its own threat hunting and port scanning, you should assume you have more exposure than you know about and commission an analysis of your own externally facing risk.<\/p>\n

3. \u201cSecure\u201d is the Goal<\/h4>\n

While CISA’s first mandate is to \u201cremove the interface from the internet,\u201d it’s only mentioned as an alternative, should an agency not be able to bring the exposed under proper controls. From the directive:<\/p>\n

\n

For the purposes of this Directive, as outlined in the required actions section below, networked management interfaces are allowed to remain accessible from the internet on networks where agencies employ capabilities to mediate all access to the interface in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA’s Zero Trust Maturity Model.<\/em><\/p>\n<\/blockquote>\n

Zero Trust Architecture is an enterprise approach to designing and implementing access policies that assume no implicit trust and require continuous verification for every access request.<\/p>\n

This approach often includes placing management access behind an isolated management network and deploying capabilities that continuously validate identity, device posture, and session context.<\/p>\n

The practice minimizes uncertainty by enforcing least-privilege access decisions across information systems and services, ensuring that users and devices receive only the access required for a specific task, session, and duration.<\/p>\n

So, CISA is saying that IF you can properly secure your remote access (using Zero Trust as the standard), it’s acceptable to have it continue to be accessible from the public Internet.<\/p>\n

“Zero Trust Remote Access”?<\/h2>\n

All four of the referenced documents help to define Zero Trust principles and Zero Trust capabilities.\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Zero\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

It’s important to keep in mind that there are only Zero Trust principles and solutions that adhere to them. There are no actual “Zero Trust solutions” (i.e., solutions that have somehow received a nonexistent Zero Trust certification, etc.).<\/p>\n

According to CISA, what’s important when applying this to your organization’s secure remote desktop access is:<\/p>\n

    \n
  1. \n

    that the remote access is secured by policy<\/p>\n<\/li>\n

  2. \n

    that the policy engine (the system that establishes and pushes out security policies) be separate from the system providing the remote access.<\/p>\n<\/li>\n<\/ol>\n

    So, to bring any remote access under \u201ccompliance\u201d (if you will) with CISA’s directive for Zero Trust principles to be in place, there are a few things you can initially do:<\/p>\n

    1. Use a Centrally Managed Remote Access Solution<\/h3>\n

    If you are using, say, a single endpoint providing RDP access externally, you’re definitely not secure.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Legacy\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    You need to use a remote access solution<\/a> that centrally establishes who can access which systems remotely, from where, and when, etc.<\/p>\n

    2. Use Multi-Factor Authentication (MFA)<\/h3>\n

    Nestled somewhat within the NIST 800-207 document that describes Zero Trust as a core tenet that states that MFA should be used. While not stated as required at all times, we’re talking about providing access to an endpoint within organizational information systems; it potentially could also be a persistent foothold for threat actors. So, MFA is needed<\/a> here always<\/em>.<\/p>\n

    3. Determine if Secure Remote Management and Access is All You Need<\/h3>\n

    The state of organizational cybersecurity, in general, is moving towards Zero Trust, albeit slowly; fully implementing Zero Trust can take years<\/em>. It’s why I emphasize the immediate need to embrace Zero Trust principles<\/em> and not be concerned so much with needing to be \u201ccompliant\u201d with Zero Trust (as if it’s a standard with specific implementation requirements\u2026 which it’s not).<\/p>\n

    But for those of you thinking that you want to better understand what differentiates solutions like Zero Trust Network Access and a Secure Remote Access solution, read about which solution is right for your organization<\/a>.<\/p>\n

    Mitigating the Risk: Secure Your Remote Access\u2026 And Fast!<\/h2>\n

    If nothing else, the directive from CISA makes the case that the risk created by exposed remote access is something that needs to be addressed quickly. Their 14-day required response time indicates how big a problem this is, and how fast your organization should address the risk, regardless of whether you are in the public or private sector.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

    In 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive 23-02 (BOD 23-02): Mitigating the Risk from Internet-Exposed Management Interfaces \u2013 a directive aimed at securing both network management devices and device management interfaces (e.g., firewalls, routers, VPNs, etc.) and any device that can be remotely managed using a variety of internal … Read more<\/a><\/p>\n","protected":false},"author":16,"featured_media":20892,"template":"","blog_category":[280,281,257],"class_list":["post-20889","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog_category-featured","blog_category-remote-access","blog_category-security"],"yoast_head":"\nHow Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access<\/title>\n<meta name=\"description\" content=\"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access\" \/>\n<meta property=\"og:description\" content=\"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/\" \/>\n<meta property=\"og:site_name\" content=\"RealVNC\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/realvnc\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-13T09:44:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1500\" \/>\n\t<meta property=\"og:image:height\" content=\"999\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@realvnc\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/\"},\"author\":{\"name\":\"Bogdan Bele\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/person\\\/6fa9f449ba19409f0cd7235931f51987\"},\"headline\":\"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access\",\"datePublished\":\"2023-07-13T08:01:38+00:00\",\"dateModified\":\"2026-04-13T09:44:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/\"},\"wordCount\":1335,\"publisher\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/secure-remote-access-operational-directive.jpg\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/\",\"name\":\"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/secure-remote-access-operational-directive.jpg\",\"datePublished\":\"2023-07-13T08:01:38+00:00\",\"dateModified\":\"2026-04-13T09:44:26+00:00\",\"description\":\"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/secure-remote-access-operational-directive.jpg\",\"contentUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/07\\\/secure-remote-access-operational-directive.jpg\",\"width\":1500,\"height\":999,\"caption\":\"Featured image for binding operational directive 23-02\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/binding-operational-directive-23-02\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blogs\",\"item\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\",\"name\":\"RealVNC\u00ae\",\"description\":\"The world's safest remote access software\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#organization\",\"name\":\"RealVNC\u00ae\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/realvnc-logo-blue.png\",\"contentUrl\":\"https:\\\/\\\/www.realvnc.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/realvnc-logo-blue.png\",\"width\":300,\"height\":41,\"caption\":\"RealVNC\u00ae\"},\"image\":{\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/realvnc\",\"https:\\\/\\\/x.com\\\/realvnc\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/realvnc\\\/\",\"https:\\\/\\\/www.youtube.com\\\/RealVNCLtd\",\"https:\\\/\\\/en.wikipedia.org\\\/wiki\\\/RealVNC\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.realvnc.com\\\/en\\\/#\\\/schema\\\/person\\\/6fa9f449ba19409f0cd7235931f51987\",\"name\":\"Bogdan Bele\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g\",\"caption\":\"Bogdan Bele\"},\"description\":\"A journalist by formation and experience, and a content writer by trade. I\u2019ve been writing content, both online and offline, for more than 15 years. My focus has always been technology, but I\u2019ve also ventured into fields as diverse as music, football or news. I am RealVNC\u2019s in-house Digital Content Editor, so a lot of what you\u2019re reading on this blog is written by me. I also edit a lot of our content output. When I\u2019m not writing, editing or reading, you\u2019ll probably find me at a concert or watching a Chelsea FC game.\",\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/in\\\/bogdanbele\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access","description":"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/","og_locale":"en_US","og_type":"article","og_title":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access","og_description":"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.","og_url":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/","og_site_name":"RealVNC\u00ae","article_publisher":"https:\/\/www.facebook.com\/realvnc","article_modified_time":"2026-04-13T09:44:26+00:00","og_image":[{"width":1500,"height":999,"url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@realvnc","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#article","isPartOf":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/"},"author":{"name":"Bogdan Bele","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/person\/6fa9f449ba19409f0cd7235931f51987"},"headline":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access","datePublished":"2023-07-13T08:01:38+00:00","dateModified":"2026-04-13T09:44:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/"},"wordCount":1335,"publisher":{"@id":"https:\/\/www.realvnc.com\/en\/#organization"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#primaryimage"},"thumbnailUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/","url":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/","name":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access","isPartOf":{"@id":"https:\/\/www.realvnc.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#primaryimage"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#primaryimage"},"thumbnailUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg","datePublished":"2023-07-13T08:01:38+00:00","dateModified":"2026-04-13T09:44:26+00:00","description":"Discover how the Binding Operational Directive 23-02 (BOD 23-02) makes a case (and mandate) for secure remote access.","breadcrumb":{"@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#primaryimage","url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg","contentUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/07\/secure-remote-access-operational-directive.jpg","width":1500,"height":999,"caption":"Featured image for binding operational directive 23-02"},{"@type":"BreadcrumbList","@id":"https:\/\/www.realvnc.com\/en\/blog\/binding-operational-directive-23-02\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.realvnc.com\/en\/"},{"@type":"ListItem","position":2,"name":"Blogs","item":"https:\/\/www.realvnc.com\/en\/blog\/"},{"@type":"ListItem","position":3,"name":"How Binding Operational Directive 23-02 Makes the Case (and Mandate) for Secure Remote Access"}]},{"@type":"WebSite","@id":"https:\/\/www.realvnc.com\/en\/#website","url":"https:\/\/www.realvnc.com\/en\/","name":"RealVNC\u00ae","description":"The world's safest remote access software","publisher":{"@id":"https:\/\/www.realvnc.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.realvnc.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.realvnc.com\/en\/#organization","name":"RealVNC\u00ae","url":"https:\/\/www.realvnc.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/05\/realvnc-logo-blue.png","contentUrl":"https:\/\/www.realvnc.com\/wp-content\/uploads\/2023\/05\/realvnc-logo-blue.png","width":300,"height":41,"caption":"RealVNC\u00ae"},"image":{"@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/realvnc","https:\/\/x.com\/realvnc","https:\/\/www.linkedin.com\/company\/realvnc\/","https:\/\/www.youtube.com\/RealVNCLtd","https:\/\/en.wikipedia.org\/wiki\/RealVNC"]},{"@type":"Person","@id":"https:\/\/www.realvnc.com\/en\/#\/schema\/person\/6fa9f449ba19409f0cd7235931f51987","name":"Bogdan Bele","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/db953d23953822fd0e4cf9ec4b44b151a5712b3d00982d581e2c162042f75c3d?s=96&d=mm&r=g","caption":"Bogdan Bele"},"description":"A journalist by formation and experience, and a content writer by trade. I\u2019ve been writing content, both online and offline, for more than 15 years. My focus has always been technology, but I\u2019ve also ventured into fields as diverse as music, football or news. I am RealVNC\u2019s in-house Digital Content Editor, so a lot of what you\u2019re reading on this blog is written by me. I also edit a lot of our content output. When I\u2019m not writing, editing or reading, you\u2019ll probably find me at a concert or watching a Chelsea FC game.","sameAs":["https:\/\/www.linkedin.com\/in\/bogdanbele\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog\/20889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/users\/16"}],"version-history":[{"count":1,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog\/20889\/revisions"}],"predecessor-version":[{"id":89929,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog\/20889\/revisions\/89929"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/media\/20892"}],"wp:attachment":[{"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/media?parent=20889"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.realvnc.com\/en\/wp-json\/wp\/v2\/blog_category?post=20889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}