CISA issued its first Binding Operational Directive (BOD) of the year, ordering federal civil agencies to eliminate security breaches within a specified time frame. Remediate each vulnerability according to the schedule specified in the CISA-managed vulnerability catalog. The directory details exploited vulnerabilities that pose a significant risk to federal businesses and requires that vulnerabilities with Common Vulnerability and Exposure (CVE) ID numbers assigned prior to 2021 be fixed within 6 months, and within two weeks from now Fix all other bugs. Those default schedules could be adjusted in the event of serious risk to federal businesses. There are nearly 300 vulnerabilities on the list of vulnerabilities that need to be fixed, issued together with the directive, covering almost all major IT companies. Accellion, Adobe, Apple, Apache, Android, Arcadyan, Arm, Atlassian, BQE, Cisco, Citrix, D-Link, DNN, Docker, DrayTek, Drupal, ExifTool, Exim, EyesOfNetwork, F5, ForgeRock, Fortinet, Google, IBM, ImageMagick, Ivanti, Kaseya, LifeRay, McAfee, Micro Focus, Microsoft, Mozilla, Nagios, Netgear, Netis, Oracle, PlaySMS, Progress, Pulse Secure, Qualcomm, rConfig, Realtek, Roundcube, SaltStack, SAP, SIMalliance, SolarWinds, Sonatype, SonicWall, Sophos, Sumavision, Symantec, TeamViewer, Telerik, Tenda, ThinkPHP, Trend marco, TVT, Unraid, vBulletin, VMware, WordPress, Yealink, Zoho (ManageEngine) and ZyXEL are all listed.
Binding Operational Directive No. BOD 22-01 (Reducing Significant Risk of Known Exploited Vulnerabilities) applies to software and hardware of Internet-facing and non-Internet-facing federal information systems, including those administered by federal agencies or third parties on their behalf system.
The goal of this directive is to help federal agencies and public/private sector organizations proactively respond to persistent threat activity by improving their vulnerability management practices and reducing their exposure to cyberattacks.
“Today’s Binding Operational Directive (BOD) 22-01 on Protecting Federal Civilian Networks establishes a time frame for mitigating known exploited vulnerabilities and calls for improved vulnerability management procedures,” said CISA Director Jen Easterly.
“The BOD applies to federal civilian agencies; however, all organizations should adopt this directive and prioritize mitigation of vulnerabilities listed on our public directory that are being actively used to exploit public and private organizations.”
Agencies ordered to patch 2021 vulnerabilities within two weeks
CISA published a catalog of hundreds of exploited security flaws that put government systems at significant risk if threat actors successfully abused them.
Agencies are instructed to remediate security vulnerabilities listed in the Known Exploited Vulnerability Directory according to a schedule set by CISA:
Vulnerabilities exploited this year should be patched in the two weeks leading up to November 17, 2021.
Vulnerabilities exploited before the end of 2020 should be fixed within 6 months before May 3, 2022.
Currently, the catalog includes more than 200 vulnerabilities identified between 2017-2020 and 2021, and CISA will regularly update newly discovered vulnerabilities if the following conditions are met:
The vulnerability has an assigned Public Vulnerability and Exposure (CVE) ID.
There is solid evidence that this vulnerability is actively exploited in the wild.
There is a clear remedy for this vulnerability, such as a vendor-provided update.
Specific measures required include:
1. Establish a process for continuous remediation of vulnerabilities that CISA poses a significant risk to federal businesses for the time frame set by CISA pursuant to this directive by including them in the CISA-managed catalog of known exploited vulnerabilities;
2. to assign roles and responsibilities for the actions of the executive agency in accordance with the requirements of this Directive;
3. Define the actions necessary to respond promptly to actions required by this Directive;
4. Establish internal verification and enforcement procedures to ensure compliance with this Directive;
5. Set up internal tracking and reporting requirements to assess compliance with this Directive and provide reports to CISA as required.
They must also submit quarterly reports on patch status through CyberScope or the CDM Federal Dashboard, and for those who have not migrated out of CyberScope by October 1, 2022, will instead report every two weeks.
“Vulnerabilities previously used to exploit public and private organizations are a frequent attack vector for a variety of malicious cyber actors,” CISA said.
“These vulnerabilities represent a significant risk to agencies and federal businesses. Proactive remediation of known exploited vulnerabilities is critical to protecting federal information systems and reducing cyber incidents.”