The latest cyber order released by the Cybersecurity and Infrastructure Security Agency (CISA) gives Federal agencies and industry the resources to stop or limit cybercriminals from infiltrating their systems; Michael Duffy, an associate director at CISA, said.
During FNN’s Ask the CIO Virtual Series on Jan. 20, Duffy stressed that the Binding Operational Directive (BOD) 22-01, released in early November, spans further than just fixing known vulnerabilities in networks and systems.
“It’s a way for agencies to become better cyber defenders,” he said.
The BOD establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the Federal systems and networks and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. In the November BOD, CISA gives agencies two weeks to address 90 exploits identified in 2021. It also gave agencies six months to address about 200 exploits identified between 2017 and 2020. The directive also gives agencies two months to review and update their internal vulnerability management procedures.
“Underlying the core value add that we were looking to present with this directive is the known exploited vulnerabilities catalog. It’s the first of its kind across government and the first of any dynamic list that CISA has presented transparently and open to the public, not just the Federal sector. So, anyone who wants to be part of this effort to focus on the right things to buy down risk can be,” Duffy said.
CISA adds vulnerabilities to the catalog regularly. It added 24 new ones between November and December and added 15 more since Jan. 1.
According to Duffy, the goal of the catalog is to help agencies manage the volume and severity of the vulnerabilities. However, as an agency, the intent is not to develop more than 20 BOD’s every year.
“We want to refer to one strategic directive, BOD-2201, to say, ‘when you’re seeing these updates, immediately take action within these two weeks,’” Duffy said. “Moving forward, we are really paying attention to see how this changes the game.”
Additionally, CISA wants to make sure agencies and the Department of Homeland Security share information regarding vulnerabilities and challenges they encounter in patching vulnerabilities. And according to Duffy, that’s something that goes beyond just reporting. It’s about how the government is making sense of long-standing common challenges “and finding ways that we’re able to tackle them as a community and not just as a one-off,” he said.
Another objective of the BOD is to enhance agencies’ internal procedures to do vulnerability management. And while it may sound like a side task, Duffy explained, agencies must be allowed to look at their current state and identify the best practices that fit their needs to enhance their procedures.
“That really incorporates this new mindset, this shift in the way that we’re managing vulnerabilities across the Federal space,” Duffy said. “To really help agencies implement these directives, we want agencies to have them as top priorities, so we really put our team to the frontline to make sure that we’re supporting them.”
Since it released the BOD, CISA has noticed a change in how agencies manage their vulnerabilities. According to Duffy, these changes are happening not just from a technology outlook but from a cultural one too.