CISA Releases Directive Regarding Cyber Vulnerabilities

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, titled Reducing the Significant Risk of Known Exploited Vulnerabilities, to act as “a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information system.”

BOD 22-01 was intended to compel federal agencies to “mitigate actively exploited vulnerabilities on their networks.” The Directive requires these agencies to review and update their procedures for internal vulnerability management within 60 days of the issuance of the directive. At a minimum, these policies must establish procedures for remediation of vulnerabilities carrying a “significant risk” to the agency — according to CISA.

Additionally, CISA intends to send notice to organizations across the country that there are vulnerabilities facing both internet-facing and non-internet facing assets that have been known to effect “private businesses and state, local, tribal and territorial (SLTT) governments” that they should be aware of and attempt to mitigate as well. According to CISA Director Jen Easterly, “[i]t is . . . critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

CISA’s directive acknowledged the difficulty that organizations in the private and public sector encounter regarding prioritization of their already limited resources toward combating the exponentially increasing vulnerabilities being identified each year — with over 18,000 in 2020 alone. As such, CISA again recommended use of the public catalog to identify active vulnerabilities and utilize their resources according to prevalence of the threat.

If you have any questions or concerns regarding this new directive or how your company can implement similar procedures, please contact Kennedy Sutherland.