According to an announcement by the Cybersecurity and Infrastructure Agency (CISA) published Wednesday, a Binding Operational Directive (BOD) now requires federal civilian agencies to fix known cybersecurity vulnerabilities in information technology and operational technology systems and products. The BOD, Reducing the Significant Risk of Known Exploited Vulnerabilities, represents the first government-wide mandate to fix vulnerabilities impacting both internet-facing and non-internet-facing assets, including those maintained on agency premises or hosted by third parties on an agency’s behalf, CISA’s press release said.
The directive also sets up an active CISA-managed list of known vulnerabilities and requires more than a dozen agencies to mitigate them within specified timeframes. According to CISA, it will regularly update the catalog with vulnerabilities that meet certain thresholds, though the press release noted that “the effort and subject matter expertise required to research the degree of risk posed by a given vulnerability makes prioritizing [vulnerabilities] a challenge.” The directive currently comprises approximately 200 vulnerabilities from 2017-2020 and 90 from 2021.
According to CISA’s accompanying fact sheet, industry partners identified more than 18,358 new cybersecurity vulnerabilities of which about 10,340 are classified “critical” in 2020. The agency remarked that because both public and private organizations struggle to find the time to test and implement remediate measures, the BOD instructs subject entities “to focus patching on the subset of vulnerabilities that are causing harm now.”
CISA also acknowledged that while the BOD only applies to federal civilian agencies, organizations across the country, including those involved with critical infrastructure, are targeted using these same vulnerabilities. Thus, the agency pressed non-subject organizations to improve their vulnerability management practices and reduce their exposure to cyberattacks.