CISA Releases Binding Operational Directive Aimed at Reducing the Significant Risk of Known Exploited Vulnerabilities

Melissa Ventrone
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

On Nov. 3, the Cybersecurity and Infrastructure Agency (CISA) released a Binding Operational Directive that establishes a catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise (https://cisa.gov/known-exploited-vulnerabilities-catalog) and requirements for agencies to remediate any such vulnerabilities.

CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:

  • Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk; and
  • Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.

This Directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

Scope

This Directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-party vendors on an agency’s behalf. The required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Required Actions

  • Within 60 days of issuance, agencies must review and update agency internal vulnerability management procedures in accordance with this Directive. At a minimum, agency policies must:
    • Establish a process for ongoing remediation of vulnerabilities that CISA identifies;
    • Assign roles and responsibilities for executing agency actions;
    • Define necessary actions required to enable prompt response to actions;
    • Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
    • Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
  • Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures ID assigned prior to 2021 and within two weeks for all other vulnerabilities.
  • Report on the status of vulnerabilities listed in the repository.

While the Directive applies to federal civilian agencies, CISA strongly recommends that private businesses, industry, and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities in CISA’s Directive and sign up for updates to the catalog.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide