Supporting CISA's Binding Operational Directive (BOD) 22-01

women checking computer

On November 3, the US Cybersecurity and Infrastructure Security Agency (CISA) released a new Binding Operational Directive (BOD) 22-01, titled ‘Reducing the Significant Risk of Known Exploited Vulnerabilities’. This directive requires federal civilian agencies to identify and remediate known vulnerabilities based on a managed catalog provided by CISA, which will be updated on a regular basis.
According to CISA, vulnerabilities will be included in the catalog based on evidence of them being actively exploited in the wild, as well as there being a clear remediation path, typically a vendor provided update. Although CISA’s directive is only directly applicable to federal agencies, they are also strongly recommending state and local government, and private organizations, to take advantage of this new resource, to improve their cyber resilience.  

Security commentators are suggesting that this new directive is linked to recent supply chain attacks that have targeted both private and public sector organizations. These events, including the large-scale SolarWinds and Kaseya attacks, as well a recent compromise of the Zoho password manager, have exploited known, but unpatched vulnerabilities to compromise government agencies, critical infrastructure, technology companies and many more.

In a recent Noetic blog, we highlighted some of the challenges faced by security teams in addressing vulnerability management and patching. Security teams are faced with a daily increase in new vulnerabilities to patch and need help prioritizing their workload to map the risk posed by an exploitable vulnerability with the potential business impact.

This managed catalog can be seen as a new type of vulnerability ‘threat feed’, where security teams are being provided with a curated list of critical vulnerabilities to work on, based on CISA’s insights into the work of threat actors.

For Federal Civilian Agencies of course, there are more specific requirements. These include:

  • Within the next 60 days, review and update their vulnerability management processes, including establishing a process for the ongoing remediation of the CISA catalog, including ownership, roles and responsibilities and reporting.
  • Remediate the vulnerabilities in the catalog, currently at 291, based on timelines provided by the CISA. Many of these have a deadline of November 17, only a few days away
  • Report on the status of the remediation process through the standard reporting processes.

How can Noetic help with compliance with CISA BOD 22-01?

Effective Cybersecurity Asset Management is about understanding not just all assets in the organization, but the cyber relationships between them. In this context, the CISA vulnerability list provides us with another data source to help us to identify and prioritize cyber risk.

To assist security teams with meeting CISA’s deadlines for remediating vulnerabilities, we have taken several actions and released updates to the Noetic platform, including:

  1. New CISA Connector – we have published a new Noetic Connector called ‘CISA Known Exploited Vulnerabilities’ and made it available to deploy now for Noetic customers. This connector will consume the list of vulnerabilities provided by CISA and publish them in the Noetic platform. This will allow us to continuously update the list, when CISA provides additional updates.
  2. Create a new “CISA Known Vulnerability’ data type. A key tenet of the Noetic platform is its extensibility. We recognize that we do not know all the data types that customers will need to create to map cyber information from different applications and data sources. By creating a new data type to reflect a ‘CISA Known Vulnerability’, it makes it simple for security analysts to create new related queries, dashboards, and workflows.
  3. Generate CISA functions and workflows. These prebuilt capabilities allow teams to simply build the new CISA requirements into existing automated workflows, without any coding or specific graph expertise. For example, we could automatically send an email to the business owner of any ‘machine’ with a CISA vulnerability on a daily basis. If any of these assets also lacked sufficient endpoint security coverage, we could trigger an escalation process.

The video below shows the setup and work of the new CISA connector and demonstrates how simple it is for security teams to build queries to understand what CISA known vulnerabilities exist in their environment today and how to integrate these insights into their existing vulnerability and patch management process to improve their cyber resilience without creating significant workload for the team. 

To learn more about how the Noetic platform can help you to meet the CISA BOD 22-01 requirements, as part of a wider cybersecurity asset and vulnerability management program, you can contact us or register for a more detailed demonstration of the Noetic solution.