The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has compiled the Known Exploited Vulnerabilities Catalog, which lists at least 300 vulnerabilities and will be updated continuously.
CISA Director Jen Easterly shared the announcement on Twitter, which was praised by many information security professionals as a move in the right direction.
BIG step forward today in protecting Federal Civilian Networks--Binding Operational Directive (BOD) 22-01 establishes timeframes for mitigation of known exploited vulnerabilities and requires improvements in vulnerability management programs: https://t.co/JrB6BQLCNe pic.twitter.com/KXA9ZnMRuN— Jen Easterly (@CISAJen) November 3, 2021
In addition, CISA issued Binding Operational Directive (BOD) 22-01, a compulsory direction for federal civilian agencies to update their systems within 60 days, providing instructions to improve risk management through patching these vulnerabilities.
With a rise in malicious cybercrimes related to malware, CISA explains the reason for creating this catalog is to reduce risk related to the public and private sectors, as well as to protect the American people.
"Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise.
It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents," BOD 22-01 reads.
These are the required actions as outlined by CISA:
Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, agency policies must:
a. Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, as carrying significant risk to the federal enterprise within a timeframe set by CISA pursuant to this directive;
b. Assign roles and responsibilities for executing agency actions as required by this directive;
c. Define necessary actions required to enable prompt response to actions required by this directive;
d. Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
e. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
Report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard. Initially agencies may submit quarterly reports through CyberScope submissions or report through the CDM Federal Dashboard. Starting on October 1, 2022, agencies that have not migrated reporting to the CDM Federal Dashboard will be required to update their status through CyberScope bi-weekly.
Organizations listed in the catalog include major tech companies such as Adobe, Apple, Cisco, Google, and so many more.
You can also sign up to receive alerts when new vulnerabilities are added to the list at cisa.gov/known-exploited-vulnerabilities.
[RELATED] Vulnerabilities are abundant, especially when it comes to application security. Learn about how your organization can create more security measures around app development by attending SecureWorld's webcast, The State of Application Security 2021.