CISA Releases Binding Operational Directive Aimed at Reducing the Significant Risk of Known Exploited Vulnerabilities

On Nov. 3, the Cybersecurity and Infrastructure Agency (CISA) released a Binding Operational Directive that establishes a catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise (https://cisa.gov/known-exploited-vulnerabilities-catalog) and requirements for agencies to remediate any such vulnerabilities.

CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:

• Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk; and
• Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.

This Directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

Scope

This Directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-party vendors on an agency’s behalf. The required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Required Actions

• Within 60 days of issuance, agencies must review and update agency internal vulnerability management procedures in accordance with this Directive. At a minimum, agency policies must:
  • Establish a process for ongoing remediation of vulnerabilities that CISA identifies;
  • Assign roles and responsibilities for executing agency actions;
  • Define necessary actions required to enable prompt response to actions;
  • Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
  • Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
• Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures ID assigned prior to 2021 and within two weeks for all other vulnerabilities.
• Report on the status of vulnerabilities listed in the repository.

While the Directive applies to federal civilian agencies, CISA strongly recommends that private businesses, industry, and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for updates to the catalog.

If you have any questions about the above actions, need guidance, or would like a copy of the Directive, please contact Jeffrey Wells, jwells@clarkhill.com, or Melissa Ventrone, mventrone@clarkhill.com.