The Biden administration issued a new order — Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities — requiring nearly all federal agencies to patch hundreds of cybersecurity flaws considered significant vulnerabilities for damaging intrusions into government computer systems. 

The Cybersecurity and Infrastructure Security Agency (CISA), via the operational directive, has created — and published on CISA.gov — a living catalog of known exploited vulnerabilities that carry significant risk. Approximately 200 vulnerabilities from 2017-2020 and 90 from 2021 make up the initial publication. CISA will regularly update the catalog with new known exploited vulnerabilities that meet specified thresholds.

One of the most wide-reaching cyber mandates ever imposed on the federal government, the new requirement gives agencies six months to fix more than 300 security flaws identified as carrying “significant risk” to their networks.

The goal of the directive is to enable federal agencies, as well as the public and private sector organizations, to improve their vulnerability management practices and significantly reduce their exposure to cyberattacks. Malicious actors scan the internet for known vulnerabilities and can exploit them within much smaller time frames. And, the adaptability, sophistication, and speed at which cyber adversaries were targeting and exploiting known vulnerabilities outpaced agencies improved remediation time.

The directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says, “Cybersecurity, like vulnerability remediation and mitigation, is a shared responsibility. It does not get done if vendors, IT and security teams are not on the same page and working toward the same goals. Not to suggest enforcement is not always easy because it’s not. But these are the decisions cyber teams must make collaboratively with IT teams while considering the trade-offs between often-competing objectives. Private sector organizations should be using this CISA catalog as a type of threat intelligence feed. Better yet, use the CISA catalog as a template to roll your own factoring in vulnerability criticality and priority to your unique business or organization.”

According to CISA, which is responsible for maintaining the catalog of known exploited vulnerabilities, industry partners identified a total of 18,359 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 — an average of 28 per day — are classified as “critical” or “high severity” vulnerabilities.

As a result of the directive, CISA says it targets vulnerabilities for remediation that have known exploits and are being actively exploited by cybercriminals. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:

• Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise; and 
• Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.

Ray Kelly, principal security engineer at NTT Application Security, explains, “This new BOD is more than likely the result of a couple of recent high profile breaches. The Colonial Pipeline attack, as well as the SolarWinds/Orion vulnerabilities, for example, have demonstrated the impact that security gaps can have on our Government and its citizens. The vulnerability catalog describes many critical vulnerabilities that cover software, firmware and mobile devices that should be addressed. These issues can be targeted, remediated and verified, which is a much easier approach than simply saying, “make sure you are secure.” This catalog can also be of use for the private sector. Often organizations that do not have a mature security program do not know where to start. This list would give them a starting point while addressing many vulnerabilities that are actively being exploited by malicious actors.”

The growing number and increasing damage caused by known vulnerabilities being exploited on IoT and other systems are causing urgency by both government and private organizations,” explains Bud Broomhead, CEO at Viakoo. “The Biden Administration actions are part of a worldwide effort to stop the damage from cyberattacks as we’ve seen with pipelines, water treatment, and other critical systems being targets of cybercriminals.

The mandate by CISA, Broomhead says, is one of many steps needed to control the deluge of vulnerabilities aimed at IT, OT, and IoT and defend these systems.

He adds, “The highlight is the “urgency requirement” in the mandate, which points directly at the need for automated remediation solutions. This public catalog performs the critical function of connecting known vulnerabilities to specific systems. Such efforts help every organization respond to threats rapidly; this type of reporting is a good start but must become more comprehensive in making those connections for end-user organizations. The CISA public catalog, like the MITRE ATT&CK and CVE database, help organizations identify and source fixes to security issues.”