The Cybersecurity and Infrastructure Security Agency issued a new operational directive to improve how federal civilian agencies assess and align their cybersecurity vulnerabilities.
The Binding Operational Direct 26-04: Prioritizing Security Updates Based on Risk would require federal civilian agencies to assess their vulnerability management policies across four criteria: asset exposure, known exploited vulnerabilities (KEV) status, exploit automation and Post-exploitation technical impact. Officials said the directive consolidates, clarifies and updates the urgency of vulnerability remediation while focusing the agencies’ patching efforts on the highest risk, and enhancing efficiency for federal civilian agencies.
“CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities. This Directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” Acting CISA Director Nick Andersen said. “CISA continues our work to transform the federal enterprise to be more resilient to sophisticated and persistent cyber threats. CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change. While this Directive is a mandate for federal agencies, CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy.”
The directive said cyber threat actors use unpatched vulnerabilities and AI to exploit systems. And by harmonizing and improving on previous directives, CISA said the most recent directive takes changes in threat actor behavior into account. The changes require federal agencies to create a comprehensive risk picture to make informed decisions that can reduce risk without burdening IT managers with extra processes.