skip to Main Content

So What Is In This New CISA Cybersecurity Directive?

Well, the reports were right. On November 3rd the federal government’s Cybersecurity and Infrastructure Agency (CISA) issued a directive prioritizing vulnerability management by federal civilian agencies and establishing remediation deadlines.

This new directive is referenced as Binding Operational Directive 22-01 (BOD 22-01) and has a very straightforward title: Reducing the Significant Risk of Known Exploited Vulnerabilities. It establishes a CISA-managed catalog of known and exploited vulnerabilities that must be targeted for remediation by federal agencies. The directive can be accessed here and the catalog here.

The catalog lists the vulnerabilities by name, reference software vendor, description, remediation action, and remediation due date, most of which so far are two weeks from the listing. In all instances for the initially listed vulnerabilities, remediation action is simply to “Apply updates per vendor instructions.”

The catalog will be updated on an ongoing basis. CISA allows for a subscription to catalog updates through simply submitting an email address and choosing a password here. Doing that also provides an opportunity to subscribe to a long list of other CISA updates, many of which are industry-specific.

While the directive and catalog are addressed to a civilian federal agency audience, CISA does point out that the targeted federal information systems included those operated or used by any entity “on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.” This broad statement of applicability really seems to put required compliance on some federal contractors despite CISA merely recommending that private business and local jurisdictions review and monitor the catalog, and remediate accordingly.

CISA noted in its fact sheet accompanying the directive that in 2020 alone, 18,358 new cybersecurity vulnerabilities were identified and 10,342 of those – 28 a day – were considered “critical” or “high severity.” Equally concerning is that as recently as 2015 it took federal agencies between 200 to 300 days to remediate vulnerabilities.

Just as with industry, there have been improvements by federal agencies over the last several years, but much remains to be done. This newly issued BOD 22-01 is requiring federal civilian agencies to continue improvements in their remediation efforts from this dismal record. Many contractors need to acknowledge that they also need improvement and accept CISA’s invitation to use the CISA catalog.

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top