top of page
  • Writer's pictureDeborah

On November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, (‘the Directive’) ‘to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries’.

The Directive sets out a catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

Required Actions for remediation

  1. Within 60 days of issuance, review and update of internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, policies must:

  • Establish a process for ongoing remediation of vulnerabilities that CISA identifies.

  • Assign roles and responsibilities for executing agency actions as required by the Directive;

  • Define necessary actions required to enable prompt response to actions required by the Directive;

  • Establish internal validation and enforcement procedures to ensure adherence with this Directive; and

  • Set internal tracking and reporting requirements to evaluate adherence with the Directive and provide reporting to CISA, as needed.

  1. Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog within the specific timeframe.

  2. Report on the status of vulnerabilities listed in the repository.

The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties’ vendors on an agency’s behalf.

While the Directive applies primarily to federal civilian agencies, CISA strongly recommends that ‘every organization ‘ including private businesses prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for notification updates to the catalog.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page