CISA issues binding operational directive for federal agencies to review networks for known exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) released on Wednesday a Binding Operational Directive that called upon federal agencies to mitigate actively exploited vulnerabilities on their networks, and reduce the significant risk of known exploited vulnerabilities. It also looks towards establishing priorities for vulnerability management and provides an impetus for federal agencies to improve vulnerability management practices.

The Binding Operational Directive (BOD) 22-01, ‘Reducing the Significant Risk of Known Exploited Vulnerabilities,’ applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf.

CISA is using the directive to impose “the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets.” While the guidance is currently for federal civilian agencies, CISA recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.

With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion, according to CISA. “This Directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today,” it added.

The directive also establishes a CISA-managed catalog of known exploited vulnerabilities and requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.

CISA will update this catalog with additional exploited vulnerabilities as they become known, subject to an executive-level CISA review, and when they meet the criteria that the vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.  There should also exist reliable evidence that the vulnerability has been actively exploited in the wild, and the presence of clear remediation action for the vulnerability, such as vendor-provided updates.

Following the directive, within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures. If requested by CISA, agencies will provide a copy of these policies and procedures, the security agency said.

At a minimum, agency policies must establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, assign roles and responsibilities for executing agency actions as required by this directive, define necessary actions required to enable prompt response to actions required by this directive, establish internal validation and enforcement procedures to ensure adherence with this directive, and set internal tracking and reporting requirements to evaluate adherence with this directive and provide reporting to CISA, as needed.

Organizations are further required to remediate each vulnerability according to the timelines outlined in the CISA-managed vulnerability catalog, the agency said. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within six months for vulnerabilities with a CVE ID assigned before 2021, and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the federal enterprise, it added.

Federal agencies are also called upon to report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard. Initially, agencies may submit quarterly reports through CyberScope submissions or report through the CDM Federal Dashboard.

Starting on Oct. 1, 2022, agencies that have not migrated reporting to the CDM Federal Dashboard will be required to update their status through CyberScope bi-weekly, the CISA added.

“Every day, our adversaries are using known vulnerabilities to target federal agencies,” Jen Easterly, CISA director said in a media statement. “As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors. The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks.”

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” Easterly added.

Last week, Easterly confirmed that the agency is scrutinizing a new model that it calls ‘primary systemically important entities’ or PSIES, which will deal with the next steps in providing critical infrastructure protection. The measure follows the JCDC (Joint Cyber Defense Collaborative) initiative that depended on close partnerships with critical infrastructure companies.

Commenting on the CISA’s move, James Hayes, vice president of global government affairs at Tenable, wrote in a company blog post. “This BOD is a much-needed effort to help agencies secure federal networks from increasingly complex and dangerous cyber threats and an important piece of President Biden’s effort to take on cybercrime and secure the federal government. However, the nearly 300 vulnerabilities included in the list means agencies will need to prioritize their remediation efforts.”

“CISA issued a Directive today that makes federal expertise on known cyber vulnerabilities, and what is required to mitigate those weaknesses, available to the public by publishing CISA’s catalog of identified common software vulnerabilities,” Robert Cattanach is a partner at the international law firm Dorsey & Whitney, wrote in an emailed statement.

“Most companies simply lack the resources to monitor the vast list of system flaws (18,000 were identified in 2020 alone; over a third of these were classified as ‘critical’ or ‘high severity’), much less prioritize which of those weaknesses need to be fixed immediately. Knowing which vulnerabilities are currently being exploited by cybercriminals allows the private sector to leverage CISA’s expertise to operate on a more level playing field, and should be an important tool in the never-ending fight against cybercriminals,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.