A Step in the Right Direction – Binding Operation Directive 22-01

Jan 12, 2022

On November 3rd, 2021, the Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01, a compulsory direction with the goal of systematizing and standardizing vulnerability remediation across federal agencies except for defined “national security systems” and “certain systems operated by the Department of Defense or Intelligence Community.”

This new directive requires agencies to update vulnerability management procedures, remediate cataloged vulnerabilities according to the set timeline, and to report on the status of each cataloged vulnerability. Agencies were given two weeks to address specified exploits identified in 2021, and six months for exploits identified before 2021.

New vulnerabilities will be added to the Known Exploited Vulnerabilities catalog as CISA identifies a vulnerability that has been assigned a Common Vulnerabilities and Exposures ID, there is reliable evidence that the vulnerability has been exploited, and there is a clear path to remediation for the vulnerability. 4% of all vulnerabilities annually are expected to be added to the catalog as most vulnerabilities are not exploited in the wild. CISA hopes to shift “the focus to those vulnerabilities that are active threats.”

While BOD 22-01 only applies to specified federal agencies, CISA hopes that local, state, and private entities will use the KEV catalog to inform their remediation procedures. TOPIA is uniquely positioned to assist organizations of all sizes and industries to remediate the most critical threats to their unique digital infrastructures because TOPIA prioritizes vulnerabilities based on context. Just as CISA now recognizes that it’s functionally impossible to remediate every CVE and the CVSS system is limited in its effectiveness, TOPIA has curtailed its reliance on these outdated methodologies from the outset. When it comes to prioritizing vulnerabilities, context is king.

More information regarding the CVSS system and CVEs can be found in previous articles:

Scoring Security Vulnerabilities: Introducing CVSS for CVEs

Understanding CVSS Scores

What’s the Difference between CVSS and CVE

Written by

Kent Weigle

Recent Posts

  • 1

    Our Path to Product-Led Growth

    Michael Assraf June 21, 2022
  • 2

    CISAnalysis - June 20, 2022

    Kent Weigle June 20, 2022
  • 3

    Vicarius and Advent One Partner to Expand APAC Operations

    Evan Kling June 20, 2022
  • 4

    Crowdsourcing: Utilizing Humanity’s Greatest Asset

    Kent Weigle June 16, 2022
  • 5

    The Good News and Bad News About 0-Day Attacks

    Vicarius June 14, 2022

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 30-day trial