While the move is applauded, a short timeframe to address vulnerabilities will be a challenge for security resource-strapped agencies.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a wide-ranging mandate, a Binding Operational Directive (BOD 22-01), for all civilian federal agencies “to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries.” The goal of the BOD is to help agencies clarify and focus their remediation efforts in the face of thousands of discovered vulnerabilities – 18,000 in 2020 alone – and prioritize those deemed most dangerous for remediation.
The directive requires the agencies to remediate the vulnerabilities within specified time frames relying on a CISA-managed catalog of known exploited vulnerabilities. CISA says this directive enhances but does not replace BOD 19-02, issued in April 2019 to address remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.
This latest directive addresses non-internet-facing assets and applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. However, CISA strongly recommends “that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.”
This article appeared in CSO Online. To read the rest of the article please visit here.