On November 3rd, 2021, the Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01, a compulsory direction with the goal of systematizing and standardizing vulnerability remediation across federal agencies except for defined “national security systems” and “certain systems operated by the Department of Defense or Intelligence Community.”
This new directive requires agencies to update vulnerability management procedures, remediate cataloged vulnerabilities according to the set timeline, and to report on the status of each cataloged vulnerability. Agencies were given two weeks to address specified exploits identified in 2021, and six months for exploits identified before 2021.
New vulnerabilities will be added to the Known Exploited Vulnerabilities catalog as CISA identifies a vulnerability that has been assigned a Common Vulnerabilities and Exposures ID, there is reliable evidence that the vulnerability has been exploited, and there is a clear path to remediation for the vulnerability. 4% of all vulnerabilities annually are expected to be added to the catalog as most vulnerabilities are not exploited in the wild. CISA hopes to shift “the focus to those vulnerabilities that are active threats.”
While BOD 22-01 only applies to specified federal agencies, CISA hopes that local, state, and private entities will use the KEV catalog to inform their remediation procedures. TOPIA is uniquely positioned to assist organizations of all sizes and industries to remediate the most critical threats to their unique digital infrastructures because TOPIA prioritizes vulnerabilities based on context. Just as CISA now recognizes that it’s functionally impossible to remediate every CVE and the CVSS system is limited in its effectiveness, TOPIA has curtailed its reliance on these outdated methodologies from the outset. When it comes to prioritizing vulnerabilities, context is king.
More information regarding the CVSS system and CVEs can be found in previous articles: