CISA Releases Directive on Reducing the Significant Risk of Known Exploited Vulnerabilities

November 18, 2021 - Cybersecurity and Infrastructure Security Agency (CISA) recently issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The BOD provides a catalog of known exploited vulnerabilities and applies to both software and hardware on internet-facing and non-internet-facing federal information systems, including the ones managed by federal agencies or third parties on an agency's behalf. While the BOD applies to federal civilian agencies, all organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on the public catalog.

According to BOD Fact Sheet, CISA has observed that risk scores, based on the Forum of Incident Response and Security Teams’ Common Vulnerability Scoring System (CVSS), do not always accurately depict the danger or actual hazard that a CVE presents. Attackers do not rely only on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high,” “medium,” or even “low.” Many vulnerabilities classified as “critical” are highly complex and have never been seen exploited in the wild—in fact, only 4% of the total number of CVEs have been publicly exploited. But threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days. Meanwhile, the CVSS scores some of these as “medium” or even “low” severity.

Key takeaways of the BOD 22-01 are:

  • Focus on mitigating the vulnerabilities on their networks that are most likely to result in a damaging intrusion, or a subset of current vulnerabilities that are causing harm.

  • Shift CISA's strategy of vulnerability management for federal agencies from focusing on vulnerabilities that carry a specific CVSS score to targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors.

  • Drive federal agencies to mitigate actively exploited vulnerabilities on their networks within a more aggressive timeline. Specifically,

a) within 60 days of issuance, agencies must review and update agency internal vulnerability management procedures in accordance with the directive;

b) remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog; and

c) Report on the status of vulnerabilities listed in the repository.