A Step in the Right Direction – Binding Operation Directive 22-01

Dec 31, 2021

On November 3rd, 2021, the Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01, a compulsory direction with the goal of systematizing and standardizing vulnerability remediation across federal agencies except for defined “national security systems” and “certain systems operated by the Department of Defense or Intelligence Community.”

This new directive requires agencies to update vulnerability management procedures, remediate cataloged vulnerabilities according to the set timeline, and to report on the status of each cataloged vulnerability. Agencies were given two weeks to address specified exploits identified in 2021, and six months for exploits identified before 2021.

New vulnerabilities will be added to the Known Exploited Vulnerabilities catalog as CISA identifies a vulnerability that has been assigned a Common Vulnerabilities and Exposures ID, there is reliable evidence that the vulnerability has been exploited, and there is a clear path to remediation for the vulnerability. 4% of all vulnerabilities annually are expected to be added to the catalog as most vulnerabilities are not exploited in the wild. CISA hopes to shift “the focus to those vulnerabilities that are active threats.”

While BOD 22-01 only applies to specified federal agencies, CISA hopes that local, state, and private entities will use the KEV catalog to inform their remediation procedures. TOPIA is uniquely positioned to assist organizations of all sizes and industries to remediate the most critical threats to their unique digital infrastructures because TOPIA prioritizes vulnerabilities based on context. Just as CISA now recognizes that it’s functionally impossible to remediate every CVE and the CVSS system is limited in its effectiveness, TOPIA has curtailed its reliance on these outdated methodologies from the outset. When it comes to prioritizing vulnerabilities, context is king.

More information regarding the CVSS system and CVEs can be found in previous articles:

Scoring Security Vulnerabilities: Introducing CVSS for CVEs

Understanding CVSS Scores

What’s the Difference between CVSS and CVE

Written by

Kent Weigle

Recent Posts

  • 1

    What is Patch Management?

    Kent Weigle December 09, 2021
  • 2

    A Step in the Right Direction – Binding Operation Directive 22-01

    Kent Weigle December 31, 2021
  • 3

    What is Configuration Management?

    Kent Weigle December 09, 2021
  • 4

    What is Automated Patching?

    Kent Weigle December 09, 2021
  • 5

    What is Risk-Based Vulnerability Management?

    Kent Weigle December 09, 2021

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial