By the CyberWire staff| thecyberwire.com »
CISA has issued Binding Operational Directive 22-01, which requires US Federal civilian agencies other than the CIA and ODNI to address known, exploited vulnerabilities. The directive, which is accompanied by a new catalogue of vulnerabilities, will require affected agencies to fix almost three-hundred known flaws identified between 2017 and this year. The bugs on the list are evaluated as a “significant risk to the federal enterprise.”
The Directive specifies:
- “Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive.”
- “Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog.”
- “Report on the status of vulnerabilities listed in the repository.”
Some industry experts have offered early reaction to BND 22-01. Saryu Nayyar, CEO, of Gurucul, approves of the emphasis on patching, and notes that patching has to be done right for it to work as intended:
“Patching software and operating systems should be at the top of the IT priority list. Now CISA is stepping in, directing government agencies to apply all patches by November 17. Patching can be a complicated process, in that patches should be tested in the production environment first but should take precedence over less critical activities.
“Too many organizations think patching software is optional, and doesn’t have to be done immediately. It’s refreshing to see that CISA has listed a comprehensive list of known vulnerabilities along with relevant patches. Every organization, even those outside of the government, should obtain this list and use it to check their own patch programs.”
Bill Lawrence, CISO at SecurityGate, gives CISA high marks for focus and effectiveness:
“CISA continues to impress with its focus on defending government networks and systems by executing on the basics of cyber “blocking and tackling”. It is disappointing that it takes a Binding Operational Directive for US Federal departments and agencies to implement critical patches, but kudos to CISA for recognizing this issue and using its authorities to enforce action. There was quite a bit of controversy back in 2017 with a similar directive for Kaspersky products, but this action is a no-brainer. Let’s see if it migrates to quarterly in 2022 rather than annually.”
James Hayes, Vice President of Global Affairs at Tenable, approved of the emphasis on patching as an important element of digital hygiene:
“The vast majority of cyberattacks are the result of poor cyber hygiene. The Binding Operational Directive (BOD) announced by CISA and the Joint Cybersecurity Defense Collaborative smartly focuses efforts on getting the basics right to better protect federal systems from cybercrime. This effort establishes inventories of commonly exploitable vulnerabilities and requires agencies to remediate them within a timely manner. Driving improved collective defense efforts between government and industry will strengthen our national cybersecurity posture.”
And YouAttest CEO Garret Grajek thinks the Directive is a service to the security community as a whole:
“CISA’s Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, is a great service to the security community. The fact that the broad ranging document includes product from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM and others shows how far reaching the problem is. And also how addressing just the individual components, though necessary, is a losing game. The fact that the vulnerabilities exist in practically all the resources infers to security personnel that an overall methodology must be in place to mitigate an attack that could come from anywhere.
“The commonly accepted new methodology is Zero Trust – where each “leg” in the system has to confirm the identity of the requesting party. In a zero trust system identities and informational requests need to be constantly validated in each step of the process. Identity attestation to ensure the principle of least privilege PR.AC-6 is also imperative in a zero-trust system.”