top of page
  • Writer's pictureDeborah

On November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, (‘the Directive’) ‘to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries’.


The Directive sets out a catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

Required Actions for remediation

  1. Within 60 days of issuance, review and update of internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, policies must:

  • Establish a process for ongoing remediation of vulnerabilities that CISA identifies.

  • Assign roles and responsibilities for executing agency actions as required by the Directive;

  • Define necessary actions required to enable prompt response to actions required by the Directive;

  • Establish internal validation and enforcement procedures to ensure adherence with this Directive; and

  • Set internal tracking and reporting requirements to evaluate adherence with the Directive and provide reporting to CISA, as needed.

  1. Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog within the specific timeframe.

  2. Report on the status of vulnerabilities listed in the repository.

The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties’ vendors on an agency’s behalf.


While the Directive applies primarily to federal civilian agencies, CISA strongly recommends that ‘every organization ‘ including private businesses prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for notification updates to the catalog.


Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page