The US Cybersecurity and Infrastructure Security Agency (CISA) has released a directive to drive remediation of vulnerabilities that are being actively exploited.
The directive has marked the first time the CISA has imposed government-wide requirements to fix vulnerabilities affecting both internet-facing and non-internet facing assets. It also recommended It also has recommended the private sector take note of the vulnerabilities.
The Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, has established a catalog of known exploited vulnerabilities and was published on 3 November 2021.
The directive has been applied to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf.The CISA has provided both updates of the known vulnerabilities, as well as the ability to report new vulnerabilities that are not currently on the catalog.
“Every day, our adversaries are using known vulnerabilities to target federal agencies,” said CISA director Jen Easterly. “As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors.”
“The directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks,” she added.
Easterly noted that “while this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities”. The CISA director also highlighted that it was critical that every organization adopt the directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.
CISA recommends action for public and private sector
The directive seeks to address the challenge faced by both the public and private sector of prioritizing limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion.
The CISA said that the directive addresses this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and US businesses, building upon existing methods widely used to prioritize vulnerabilities by many organizations today.
The directive has published a number of required actions. For example, within 60 days of issuance, agencies should review and update agency internal vulnerability management procedures in accordance with the Directive.
Other actions include remediating each vulnerability according to the timelines that are set forth in the catalog. Agencies are also expected to report on the status of vulnerabilities listed in the repository.