CISA Releases Binding Operational Directive Aimed at Reducing the Significant Risk of Known Exploited Vulnerabilities
On Nov. 3, the Cybersecurity and Infrastructure Agency (CISA) released a Binding Operational Directive that establishes a catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise (https://cisa.gov/known-exploited-vulnerabilities-catalog) and requirements for agencies to remediate any such vulnerabilities.
CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:
- Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk; and
- Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.
This Directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.
This Directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-party vendors on an agency’s behalf. The required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
- Within 60 days of issuance, agencies must review and update agency internal vulnerability management procedures in accordance with this Directive. At a minimum, agency policies must:
- Establish a process for ongoing remediation of vulnerabilities that CISA identifies;
- Assign roles and responsibilities for executing agency actions;
- Define necessary actions required to enable prompt response to actions;
- Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
- Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
- Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures ID assigned prior to 2021 and within two weeks for all other vulnerabilities.
- Report on the status of vulnerabilities listed in the repository.
While the Directive applies to federal civilian agencies, CISA strongly recommends that private businesses, industry, and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for updates to the catalog.
If you have any questions about the above actions, need guidance, or would like a copy of the Directive, please contact Jeffrey Wells, email@example.com, or Melissa Ventrone, firstname.lastname@example.org.
WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.
Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.
Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies
This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.
WEBINAR: Cybersecurity Resilience in Law Firms
This webinar focuses on law firms seeking useful information about robust cybersecurity strategies to protect their clients, maintain ethical and legal compliance, and fortify their digital infrastructure.