The CISA has released this year’s first binding operational directive (BOD), which notes about 290 vulnerabilities affecting the federal civil information systems.
The agency warned and ordered the other federal agencies to fix all of them, and submit a quarterly report on the status. CISA said these security vulnerabilities are both internet-facing and offline and can cause serious issues if exploited by a threat actor.
CISA’s Binding Operational Directive
Every year, CISA releases a Binding Operational Directive (BOD) containing various technical vulnerabilities in general systems, used by federal agencies to process the regular works. Since threat actors are actively looking to hit such critical services, CISA warns them to fix them as soon as possible.
This year, the BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities) contained about 290 security vulnerabilities (200 from 2017-20 and 90 from 2021). These include both the software and hardware systems (online and offline) from federal civil agencies serving the public.
❗️ Today we issued Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities: https://t.co/rFBFQyCLX5
This establishes priorities for vulnerability management & will help improve Federal Agency vulnerability management practices. pic.twitter.com/CS0hVBU4l4
— Cybersecurity and Infrastructure Security Agency (@CISAgov) November 3, 2021
The end goal here is to make these agencies fix the said vulnerabilities responsibly, thereby keeping the systems and public data safe from any unwanted hacks. CISA said the directive helps not just the federal agencies, but also public/private sector organizations aiding the agencies.
Securing them helps in keeping the companies up to date, and improving the vulnerability management practices. Releasing this directive, CISA’s Director Jen Easterly said,
“The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations.”
All the federal agencies are given 60 days to review and update their internal vulnerability management procedures. And, the fixing of them should be done within two weeks for the vulnerabilities found exploited this year, and six months for vulnerabilities exploited until the end of 2020.