On November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, (‘the Directive’) ‘to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries’.
The Directive sets out a catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.
Required Actions for remediation
Within 60 days of issuance, review and update of internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, policies must:
Establish a process for ongoing remediation of vulnerabilities that CISA identifies.
Assign roles and responsibilities for executing agency actions as required by the Directive;
Define necessary actions required to enable prompt response to actions required by the Directive;
Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
Set internal tracking and reporting requirements to evaluate adherence with the Directive and provide reporting to CISA, as needed.
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog within the specific timeframe.
Report on the status of vulnerabilities listed in the repository.
The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties’ vendors on an agency’s behalf.
While the Directive applies primarily to federal civilian agencies, CISA strongly recommends that ‘every organization ‘ including private businesses prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for notification updates to the catalog.