"CISA's BOD 22-01 will disrupt the way organizations think about vulnerability management and prioritization."
"CISA's BOD 22-01 will disrupt the way organizations think about vulnerability management and prioritization."
Home » Blog » How to use BOD 22-01 to prioritize vulnerability remediation

How to use BOD 22-01 to prioritize vulnerability remediation

Table of Contents

On November 3, 2021, the Cybersecurity and Infrastructure Agency (CISA) released a new Binding Operational Directive (BOD 22-01). The purpose of the directive is to reduce significant cybersecurity risks of already known flaws and exploited vulnerabilities. The directive, titled Reducing the Significant Risk of Known Exploited Vulnerabilities, is compulsory for all federal agencies, executive branches, and government departments.

With the world facing many sophisticated and persistent adversarial cyber campaigns, CISA issued the directive to protect the public and private sectors from malevolent cyber incidents and enhance national security. The core of improving cybersecurity in the private and public sectors is remediating known exploited vulnerabilities to minimize cyber incidents.

Attackers have used previously known cybersecurity vulnerabilities extensively to compromise systems holding sensitive information. In addition, known vulnerabilities are dangerous attack vectors /that provide malicious actors with an opportunity to compromise critical federal systems and organizational IT infrastructures. 

That said, the BOD 22-01 directive establishes a catalog of previously known exploited vulnerabilities that pose significant risks to federal and enterprise systems. CISA is responsible for managing and updating the catalog of known security weaknesses. Also, the directive establishes various vulnerability remediation mitigation requirements for all vulnerabilities present in the catalog. 

What BOD 22-01 Means for Federal Agencies?

The directive is compulsory for all agencies that process federal information through federal information systems. It also applies to all federal information processed or managed by a third party on behalf of an agency. Thus, the directive stipulates a set of actions that all federal agencies and departments must do after its issuance. These include a mandatory review and updating of federal agency vulnerability management operations within 60 days of the release of the directive. 

Specifically, an agency must establish a continuous vulnerability remediation procedure by including all vulnerabilities in the CISA-managed catalog. Once established, an agency must also assign unique roles, define relevant actions for responding to the vulnerabilities, define validation mechanisms, and create tracking and reporting requirements.

In addition, the BOD 22-01 directive requires federal agencies to mitigate the vulnerabilities in strict adherence to the set timelines in the CISA catalog. As such, the catalog will provide a list of exploited cybersecurity vulnerabilities with a requirement to remediate them to protect federal information and federal information systems from significant harm. Last but not least, the directive requires federal agencies to report the status of listed vulnerabilities.  

Request a Live Demo

Want to enhance your cybersecurity operations?
Are you looking for your first cybersecurity expert?
Want to gain visibility for your exposed assets?

You can request a live demo by scheduling date and time on our available hours:

Statistics of known vulnerability exploitations in the private sector 

According to a recent cybersecurity report, 75% of cyber-attacks recorded in 2020 utilized more than two years old vulnerabilities. In particular, three out of four attacks occurred after the exploitation of vulnerabilities dating back to 2017 or earlier. Shockingly, the report also found that 18% of all attacks in 2020 exploited vulnerabilities that were found before 2013. 

On a similar note, a different 2020 report revealed that nearly a third of detected threats involved previously exploited software security flaws. Notably, 31% of organizations detected vulnerability exploitation attempts of previous vulnerabilities that led to worldwide attacks and data breaches. For example, at least half of vulnerability exploitation attempts targeted the CVE2017-0144 vulnerability SMBv1 protocol implementation. 

Alarmingly, this is the same vulnerability that was exploited to cause the infamous WannaCry ransomware attack that affected health institutions worldwide. Yet, malicious adversaries have retained it in their arsenal in an attempt to attack more organizations in the private sector. It underscores the critical threat facing private entities and companies. 

Another alarming reason the BOD 22-01 directive is essential for private organizations is that 84% of companies discovered high-risk vulnerabilities in their internal and external networks in 2020. Despite this, more than half of the high-risk vulnerabilities are known and can be mitigated through installing the necessary updates. 

What the BOD Directive Means for Your Organization 

Although the directive does not impact private companies and organizations, enterprises can develop better cybersecurity policies. In this regard, the following actions can assist business owners in preparing and performing vulnerability and risk assessments in line with the directive:

  1. Identifying all assets: Information assets assist companies in collecting, process, analyzing, and unifying sensitive business data. Therefore, it is pertinent to identify and discover all IT assets in your organization to ensure a holistic vulnerability and risk assessment. Thus, you require a strategic solution that can enable company-wide asset discovery in zero time. 
  2. Determine the asset owners: Upon discovering all assets, it is critical to determine the asset owners. Asset owners are the most significant source of possible threats and vulnerabilities present in the assets. Additionally, asset owners can provide invaluable insights when assessing identified risks, their likelihood, and impacts. 
  3. Determine possible risks: Integrity, confidentiality, and availability of crucial IT deployments are the foundation of robust organizational cybersecurity. However, exploiting various known vulnerabilities can enable attackers to compromise vital information systems, resulting in multiple risks, such as lost business opportunities, legal actions due to breached data, and financial losses. Hence, identifying possible risks calls for a strategic risk assessment solution to ensure active identification and remediation of existing vulnerabilities. 
  4. Prioritize and mitigate detected risks: Not all risks have the same impact. Therefore, it is essential to prioritize and mitigate all known threats and vulnerabilities. Prioritizing vulnerabilities enables the remediation of the most impactful risks to ensure adequate protection of all crucial IT assets. 

How can Cynergy Help?

Cynergy platform can assist your organization to identify your external attack surface and to validate known and unknown vulnerabilities. As organizations in public and private sectors move to enhance their cybersecurity posture based on the BOD 22-01 directive, the Cynergy platform can assist in various ways. Cynergy is the leading solution for organizational-wide asset discovery to ensure the detection of possible vulnerabilities in all assets. Additionally, using the Cynergy solution can help you build a proactive risk management procedure to ascertain the elimination of all known and unknown vulnerabilities. With the directive requiring organizations to mitigate cataloged vulnerabilities within the set period, utilizing a tested and verified solution is a no-brainer. 


Request a Live Demo

Looking for your first cybersecurity expert?
Need a platform that will guide you all the way to certification?
Want to gain visibility of your exposed assets?

We use cookies to make Cynergy’s website a better place. To learn more, and to see a full list of cookies we use, check out our Cookie Policy.