CISA issues guidance on reducing known exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to prioritize remediation of vulnerabilities presently actively exploited by adversaries.

Binding Operational Directive (BOD) 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities establishes a CISA-managed catalog of known exploited vulnerabilities. It requires federal civilian agencies to address the vulnerabilities within specific timeframes.

“Every day, our adversaries are using known vulnerabilities to target federal agencies,” CISA Director Jen Easterly said. “As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors. The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks.”

Easterly noted, while the Directive applies to federal civilian agencies, there is the understanding organizations nationwide are targeted via the same vulnerabilities. She said it is critical every organization adopt the Directive and prioritize mitigation of vulnerabilities listed in the agency’s public catalog.

CISA personnel acknowledged the Directive applies to federal civilian agencies, but the agency recommends private businesses and state, local, tribal, and territorial (SLTT) governments prioritize addressing vulnerabilities and subscribe to receive notifications when new vulnerabilities are added.