top of page
  • Deborah

On November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, (‘the Directive’) ‘to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries’.


The Directive sets out a catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

Required Actions for remediation

  1. Within 60 days of issuance, review and update of internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, policies must:

  • Establish a process for ongoing remediation of vulnerabilities that CISA identifies.

  • Assign roles and responsibilities for executing agency actions as required by the Directive;

  • Define necessary actions required to enable prompt response to actions required by the Directive;

  • Establish internal validation and enforcement procedures to ensure adherence with this Directive; and

  • Set internal tracking and reporting requirements to evaluate adherence with the Directive and provide reporting to CISA, as needed.

  1. Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog within the specific timeframe.

  2. Report on the status of vulnerabilities listed in the repository.

The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties’ vendors on an agency’s behalf.


While the Directive applies primarily to federal civilian agencies, CISA strongly recommends that ‘every organization ‘ including private businesses prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for notification updates to the catalog.


Recent Posts

See All

Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally. ICT enc

25 January 2023 - Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels. 6 February 2023 - Comment period closes for the u

Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Finan

bottom of page