2021-11-04
CISA Binding Operational Directive on Vulnerability Patching for Federal Agencies
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a Binding Operational Directive (BOD) that requires federal agencies to patch known security flaws within certain timeframes. The BOD includes a catalog of nearly 300 known vulnerabilities that are being actively exploited. The flaws, some of which date back to 2017, each have deadlines for patching.
Editor's Note
Every year like clockwork, the US Federal government Office of Inspectors General produces audits that invariably repeat the findings of previous year’s OIG reports about federal agencies having failed to patch well-known vulnerabilities. There will be much complaining about this BOD but in the past such BODs or other “over the transom dictates” from OMB have driven actual movement in actual improvements in the security levels of government systems. There is no way for any government agency to even talk about “Zero Trust” without first having decent essential security processes such as vulnerability assessment and management.

John Pescatore
This enhances the previous BOD 19-02 which required critical vulnerabilities to be patched in 15 days and high vulnerabilities in 30 days. One key component added is a due date for remediating these known exploited vulnerabilities. Use the CISA catalog of known exploited vulnerabilities to help prioritize your patching efforts as well as verify that you’re not missing any required dates. Everyone should leverage this catalog. This BOD also requires agencies which are still using the old CyberScope quarterly submissions to either be reporting vulnerability status via the CDM dashboard by October 1, 2022 or provide CyberScope submissions bi-weekly.

Lee Neely
This Binding Operation Directive is much more specific and actionable than the 2019 BOD which simply stated “thou must have a vulnerability management program.” In this directive, both the vulnerabilities and required dates for patching are specifically called out. This does two things. First, it makes it very easy to measure which agencies have truly acted and complied. Second it makes it much easier for agencies to act on as agencies no longer have to decide what to patch: they simply follow CISA guidance. The easier a requirement, the more likely it will be followed. As a bonus, once agencies are done with patching, they will have the processes in place for a long-term vulnerability management program.

Lance Spitzner
Read more in
ZDNet: CISA passes directive forcing federal civilian agencies to fix 306 vulnerabilities
Dark Reading: CISA Issues New Directive for Patching Known Exploited Vulnerabilities
Bleeping Computer: CISA urges vendors to patch BrakTooth bugs after exploits release
Cyberscoop: CISA tells agencies to fix hundreds of software flaws, prep for future vulnerabilities
Gov Infosecurity: CISA Directs Federal Agencies to Patch Known Vulnerabilities