CISA has issued a Binding Operational Directive (BOD) to reduce the risk posed by unpatched or actively exploited vulnerabilities.
The threat of unpatched vulnerabilities is one of the pressing security issues for organizations worldwide. Despite necessary cybersecurity initiatives, threat actors continue to exploit unpatched flaws to penetrate critical systems. The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.
BIG step forward today in protecting Federal Civilian Networks–Binding Operational Directive (BOD) 22-01 establishes timeframes for mitigation of known exploited vulnerabilities and requires improvements in vulnerability management programs: https://t.co/JrB6BQLCNe pic.twitter.com/KXA9ZnMRuN— Jen Easterly (@CISAJen) November 3, 2021
Thousands of Unpatched Flaws
CISA found that malicious actors often look for known unpatched vulnerabilities and exploit them within a short time. From 2015-2018, the number of new flaws surged from 6,487 to 17,305, and 9,883 of these were rated “high” and “critical.” According to CISA, over 18,000 vulnerabilities were identified in 2020. Both public and private sector organizations find it difficult to remediate the growing security flaws.
“This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today,” CISA said.
Order to Agencies
CISA has released a list of exploited vulnerabilities that expose government network systems to security risks. It has also ordered agencies to remediate them in the stipulated timelines.
- Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures by this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures.
- Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, as carrying significant risk to the federal enterprise within a timeframe set by CISA pursuant to this directive.
- Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within six months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned before 2021 and within two weeks for all other vulnerabilities.
- Report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard.
“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we use our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors. The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” said CISA Director Jen Easterly.