Biden administration issues cybersecurity mandate for federal agencies

November 4, 2021

The Biden administration issued a new order — Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities — requiring nearly all federal agencies to patch hundreds of cybersecurity flaws considered significant vulnerabilities for damaging intrusions into government computer systems.

The Cybersecurity and Infrastructure Security Agency (CISA), via the operational directive, has created — and published on CISA.gov — a living catalog of known exploited vulnerabilities that carry significant risk. Approximately 200 vulnerabilities from 2017-2020 and 90 from 2021 make up the initial publication. CISA will regularly update the catalog with new known exploited vulnerabilities that meet specified thresholds.

One of the most wide-reaching cyber mandates ever imposed on the federal government, the new requirement gives agencies six months to fix more than 300 security flaws identified as carrying “significant risk” to their networks.

The goal of the directive is to enable federal agencies, as well as the public and private sector organizations, to improve their vulnerability management practices and significantly reduce their exposure to cyberattacks. Malicious actors scan the internet for known vulnerabilities and can exploit them within much smaller time frames. And, the adaptability, sophistication, and speed at which cyber adversaries were targeting and exploiting known vulnerabilities outpaced agencies improved remediation time.

The directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says, “Cybersecurity, like vulnerability remediation and mitigation, is a shared responsibility. It does not get done if vendors, IT and security teams are not on the same page and working toward the same goals. Not to suggest enforcement is not always easy because it’s not. But these are the decisions cyber teams must make collaboratively with IT teams while considering the trade-offs between often-competing objectives. Private sector organizations should be using this CISA catalog as a type of threat intelligence feed. Better yet, use the CISA catalog as a template to roll your own factoring in vulnerability criticality and priority to your unique business or organization.”

According to CISA, which is responsible for maintaining the catalog of known exploited vulnerabilities, industry partners identified a total of 18,359 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 — an average of 28 per day — are classified as “critical” or “high severity” vulnerabilities.

As a result of the directive, CISA says it targets vulnerabilities for remediation that have known exploits and are being actively exploited by cybercriminals. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:

Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise; and
Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.

Ray Kelly, principal security engineer at NTT Application Security, explains, “This new BOD is more than likely the result of a couple of recent high profile breaches. The Colonial Pipeline attack, as well as the SolarWinds/Orion vulnerabilities, for example, have demonstrated the impact that security gaps can have on our Government and its citizens. The vulnerability catalog describes many critical vulnerabilities that cover software, firmware and mobile devices that should be addressed. These issues can be targeted, remediated and verified, which is a much easier approach than simply saying, “make sure you are secure.” This catalog can also be of use for the private sector. Often organizations that do not have a mature security program do not know where to start. This list would give them a starting point while addressing many vulnerabilities that are actively being exploited by malicious actors.”

The growing number and increasing damage caused by known vulnerabilities being exploited on IoT and other systems are causing urgency by both government and private organizations,” explains Bud Broomhead, CEO at Viakoo. “The Biden Administration actions are part of a worldwide effort to stop the damage from cyberattacks as we’ve seen with pipelines, water treatment, and other critical systems being targets of cybercriminals.

The mandate by CISA, Broomhead says, is one of many steps needed to control the deluge of vulnerabilities aimed at IT, OT, and IoT and defend these systems.

He adds, “The highlight is the “urgency requirement” in the mandate, which points directly at the need for automated remediation solutions. This public catalog performs the critical function of connecting known vulnerabilities to specific systems. Such efforts help every organization respond to threats rapidly; this type of reporting is a good start but must become more comprehensive in making those connections for end-user organizations. The CISA public catalog, like the MITRE ATT&CK and CVE database, help organizations identify and source fixes to security issues.”

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry. Within her role at Security, she works to produce several Special Reports and other stories for the monthly eMagazine, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Biden administration issues cybersecurity mandate for federal agencies

Recent Articles by Maria Henriquez

Dell Technologies takes a holistic, risk-based approach to build resilience

Panasonic discloses data breach

Last day to nominate the top cybersecurity leaders in the security industry

5 minutes with Tracy Reinhold: Critical event management for enterprise resilience

Apple is suing NSO Group

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Biden administration issues cybersecurity mandate for federal agencies

Recent Articles by Maria Henriquez

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.