The Cybersecurity and Infrastructure Security Agency (CISA) today issued a Binding Operational Directive (BOD) to significantly boost the nation’s cyber hygiene by creating a catalog of known exploited vulnerabilities and forcing Federal agencies to remediate them.
CISA Director Jen Easterly told the House Homeland Security Committee today that the BOD will fundamentally change how the government deals with common vulnerabilities and exposures (CVEs).
“This morning, we issued a new binding operational directive that fundamentally changes how the Federal civilian government addresses vulnerabilities that are being actively exploited by our adversaries,” Easterly told the committee. “Under this directive, federal agencies must now fix vulnerabilities identified by CISA within specified timeframes and update their security programs to effectively account for these requirements.”
“This directive will significantly improve the federal government’s vulnerability management practices and degrade our adversaries’ abilities to exploit known vulnerabilities,” she said. “And while the BOD only covers Federal civilian agencies, we strongly recommend that every network defender review the known vulnerabilities posted publicly at CISA.gov and prioritize urgent remediation.”
The BOD gives agencies six months to remediate any CVEs with IDs assigned before 2021 and two weeks to remediate any CVEs with IDs assigned this calendar year. The order also gives agencies 60 days to update their internal vulnerability management procedures.
In 60 days, at a minimum, Federal agencies must have:
- Established a process for ongoing remediation of CISA-identified vulnerabilities;
- Assigned roles and responsibilities for executing the actions the BOD requires;
- Defined the necessary actions for a prompt response to the directives orders;
- Established procedures for internal validation and enforcement; and
- “Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.”
“As we know, everything is connected, everything is interdependent. These days, since everything sits on that technology baseline and therefore everything is potentially vulnerable,” Easterly told the committee. “So, we work very hard to make sure that business owners, small and large critical infrastructure owners, and operators, state and local the American people have a good understanding of what they need.”
“I would point to the binding operational directive that we issued today that I think is really groundbreaking, in that for the first time, this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries,” Easterly said. Not just all vulnerabilities, but the ones that we think are most dangerous. And I think that can make a real difference, not just for Federal agencies, but from a signaling perspective.”
Industry Perspective
As far as what the BOD has signaled to cybersecurity industry professionals, some see this as a step in the right direction from both a policy and posture perspective.
“This shows that the U.S. government is taking cybersecurity seriously,” iboss Vice President (VP) of Research and Intelligence Jim Gogolinski said in a statement. “Not only is the mandate tightening down the requirements for the level of patches that must be applied, but it is also substantially shrinking the window in which the government and their related supply chain organizations have to apply these patches. What’s left to be seen, though, is whether agency teams and their vendors are prepared to actually make all these patches within the required window.”
Officials say the focus on cyber hygiene is crucial because most attacks are the result of cyber hygiene rather than extremely sophisticated attacks.
“The Binding Operational Directive (BOD) announced by CISA, and the Joint Cybersecurity Defense Collaborative smartly focuses efforts on getting the basics right to better protect federal systems from cybercrime,” Tenable VP of Governmental Affairs James Hayes said. “Driving improved collective defense efforts between government and industry will strengthen our national cybersecurity posture.”