The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 22-01) ordering all Federal civilian agencies to patch or implement mitigations for almost 300 security vulnerabilities known to have been exploited by cyber actors.
The vulnerabilities must be mitigated on all hardware and software on federal information systems, including Internet-facing and non-Internet-facing systems. The directive applies to information systems managed by federal agencies as well as those managed by third parties on an agency’s behalf.
BOD 22-01 applies to all departments and agencies apart from the Department of Defense, Central Intelligence Agency, and the Office of the Director of National Intelligence, and is one of the most wide-ranging mandates of its kind to be issued due to the number of vulnerabilities that need to be fixed and the need to also address them on non-Internet-facing systems.
CISA has imposed an aggressive deadline for addressing the flaws, providing just two weeks to fix vulnerabilities known to have been exploited by cyber actors in 2021 and 6 months for all other vulnerabilities. Around one-third of the vulnerabilities on the list have been exploited this year and must therefore be patched within 2 weeks. While the 6-month deadline applies to two-thirds of the vulnerabilities, they are default timelines and may be shortened should any vulnerability be determined to pose a grave risk to the Federal Enterprise.
“Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types,” said CISA. “These vulnerabilities pose a significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”
The known exploited vulnerabilities catalog includes 290 CVEs that are known to have been exploited by cyber actors, and while BOD 22-01 only applies to federal civilian agencies, CISA is encouraging all organizations to follow the same advice and to patch the vulnerabilities within the same timeframe to prevent exploitation.
In addition to patching the flaws, all agencies are required to update their internal vulnerability management policies and procedures within 60 days. The policies are now required to include a process for ongoing remediation of CISA-identified vulnerabilities, assign roles and responsibilities for executing directive-required agency actions, define necessary actions to enable a prompt response to directive-required actions, establish internal validation and enforcement procedures, and set internal tracking and reporting requirements to evaluate adherence with the directive.