(Nov. 5, 2021) Addressing and mitigating actively exploited vulnerabilities on all federal agency computer networks is the aim of a directive issued this week by the federal agency that oversees cybersecurity, which the agency said is a first-ever federal government-wide requirement.
In issuing the order, the Cybersecurity and Infrastructure Security Agency (CISA) said it also encourages state and local governments, as well as the private sector, to also take action.
The “Binding Operational Directive” (BOD 22-01), CISA said, is sending a “clear message to all organizations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritization of vulnerabilities based on our understanding of adversary activity.”
The order, the agency said, applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. According to agency Director Jen Easterly, the order lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks.
“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” she said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
The agency noted that the order prioritizes resources for patching vulnerabilities that are most likely to result in a damaging intrusion into federal agencies and American businesses, “building upon existing methods widely used to prioritize vulnerabilities by many organizations today.”