Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireCybersecurity NewsGovernment: Federal, State and Local

Biden administration issues cybersecurity mandate for federal agencies

By Maria Henriquez
security-protection-freepik9374.jpg
November 4, 2021

The Biden administration issued a new order — Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities — requiring nearly all federal agencies to patch hundreds of cybersecurity flaws considered significant vulnerabilities for damaging intrusions into government computer systems. 


The Cybersecurity and Infrastructure Security Agency (CISA), via the operational directive, has created — and published on CISA.gov — a living catalog of known exploited vulnerabilities that carry significant risk. Approximately 200 vulnerabilities from 2017-2020 and 90 from 2021 make up the initial publication. CISA will regularly update the catalog with new known exploited vulnerabilities that meet specified thresholds.


One of the most wide-reaching cyber mandates ever imposed on the federal government, the new requirement gives agencies six months to fix more than 300 security flaws identified as carrying “significant risk” to their networks.


The goal of the directive is to enable federal agencies, as well as the public and private sector organizations, to improve their vulnerability management practices and significantly reduce their exposure to cyberattacks. Malicious actors scan the internet for known vulnerabilities and can exploit them within much smaller time frames. And, the adaptability, sophistication, and speed at which cyber adversaries were targeting and exploiting known vulnerabilities outpaced agencies improved remediation time.


The directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.


Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says, “Cybersecurity, like vulnerability remediation and mitigation, is a shared responsibility. It does not get done if vendors, IT and security teams are not on the same page and working toward the same goals. Not to suggest enforcement is not always easy because it’s not. But these are the decisions cyber teams must make collaboratively with IT teams while considering the trade-offs between often-competing objectives. Private sector organizations should be using this CISA catalog as a type of threat intelligence feed. Better yet, use the CISA catalog as a template to roll your own factoring in vulnerability criticality and priority to your unique business or organization.”


According to CISA, which is responsible for maintaining the catalog of known exploited vulnerabilities, industry partners identified a total of 18,359 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 — an average of 28 per day — are classified as “critical” or “high severity” vulnerabilities.


As a result of the directive, CISA says it targets vulnerabilities for remediation that have known exploits and are being actively exploited by cybercriminals. Rather than issue individual Emergency Directives for each vulnerability of concern, BOD 22-01 institutes a mechanism that:

  • Establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise; and 
  • Requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.


Ray Kelly, principal security engineer at NTT Application Security, explains, “This new BOD is more than likely the result of a couple of recent high profile breaches. The Colonial Pipeline attack, as well as the SolarWinds/Orion vulnerabilities, for example, have demonstrated the impact that security gaps can have on our Government and its citizens. The vulnerability catalog describes many critical vulnerabilities that cover software, firmware and mobile devices that should be addressed. These issues can be targeted, remediated and verified, which is a much easier approach than simply saying, “make sure you are secure.” This catalog can also be of use for the private sector. Often organizations that do not have a mature security program do not know where to start. This list would give them a starting point while addressing many vulnerabilities that are actively being exploited by malicious actors.”


The growing number and increasing damage caused by known vulnerabilities being exploited on IoT and other systems are causing urgency by both government and private organizations,” explains Bud Broomhead, CEO at Viakoo. “The Biden Administration actions are part of a worldwide effort to stop the damage from cyberattacks as we’ve seen with pipelines, water treatment, and other critical systems being targets of cybercriminals.


The mandate by CISA, Broomhead says, is one of many steps needed to control the deluge of vulnerabilities aimed at IT, OT, and IoT and defend these systems.


He adds, “The highlight is the “urgency requirement” in the mandate, which points directly at the need for automated remediation solutions. This public catalog performs the critical function of connecting known vulnerabilities to specific systems. Such efforts help every organization respond to threats rapidly; this type of reporting is a good start but must become more comprehensive in making those connections for end-user organizations. The CISA public catalog, like the MITRE ATT&CK and CVE database, help organizations identify and source fixes to security issues.”

KEYWORDS: CISA cyber security information security public and private security security vulnerabilities

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • The capitol building

    Biden administration issues executive order to secure U.S. ports

    See More
  • AI

    Biden Administration proposes framework for AI chip exports

    See More
  • Security newswire default

    New Executive Order Changes Cybersecurity Requirements for Federal Agencies

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing