www.cisa.gov
Open in
urlscan Pro
23.67.131.29
Public Scan
Submitted URL: http://www.cisa.gov/binding-operational-directive-22-01
Effective URL: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
Submission: On March 07 via api from IL — Scanned from IL
Effective URL: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
Submission: On March 07 via api from IL — Scanned from IL
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutives
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
2023 Year In Review
Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Directives
Share:
NEWS & EVENTS
* News
* Events
* Cybersecurity Alerts & Advisories
* Directives
* Request a CISA Speaker
* Congressional Testimony
* CISA Conferences
* CISA Live!
Binding Operational Directives
BOD 22-01: REDUCING THE SIGNIFICANT RISK OF KNOWN EXPLOITED VULNERABILITIES
November 03, 2021
Related topics:
Cybersecurity Best Practices
This page contains a web-friendly version of the Cybersecurity and
Infrastructure Security Agency’s Binding Operational Directive 22-01 - Reducing
the Significant Risk of Known Exploited Vulnerabilities.
A binding operational directive is a compulsory direction to federal, executive
branch, departments and agencies for purposes of safeguarding federal
information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the
Department of Homeland Security (DHS) to develop and oversee the implementation
of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
These directives do not apply to statutorily defined “national security systems”
nor to certain systems operated by the Department of Defense or the Intelligence
Community.
BACKGROUND
The United States faces persistent and increasingly sophisticated malicious
cyber campaigns that threaten the public sector, the private sector, and
ultimately the American people’s security and privacy. The federal government
must improve its efforts to protect against these campaigns by ensuring the
security of information technology assets across the federal enterprise.
Vulnerabilities that have previously been used to exploit public and private
organizations are a frequent attack vector for malicious cyber actors of all
types. These vulnerabilities pose significant risk to agencies and the federal
enterprise. It is essential to aggressively remediate known exploited
vulnerabilities to protect federal information systems and reduce cyber
incidents.
This directive establishes a CISA-managed catalog of known exploited
vulnerabilities that carry significant risk to the federal enterprise and
establishes requirements for agencies to remediate any such vulnerabilities
included in the catalog. CISA will determine vulnerabilities warranting
inclusion in the catalog based on reliable evidence that the exploit is being
actively used to exploit public or private organizations by a threat actor. This
directive enhances but does not replace BOD 19-02, which addresses remediation
requirements for critical and high vulnerabilities on internet-facing federal
information systems identified through CISA’s vulnerability scanning service.
SCOPE
This directive applies to all software and hardware found on federal information
systems managed on agency premises or hosted by third parties on an agency’s
behalf. These required actions apply to any federal information system,
including an information system used or operated by another entity on behalf of
an agency, that collects, processes, stores, transmits, disseminates, or
otherwise maintains agency information.
REQUIRED ACTIONS
1. Within 60 days of issuance, agencies shall review and update agency internal
vulnerability management procedures in accordance with this Directive. If
requested by CISA, agencies will provide a copy of these policies and
procedures. At a minimum, agency policies must:
1. Establish a process for ongoing remediation of vulnerabilities that CISA
identifies, through inclusion in the CISA-managed catalog of known
exploited vulnerabilities, as carrying significant risk to the federal
enterprise within a timeframe set by CISA pursuant to this directive;
2. Assign roles and responsibilities for executing agency actions as
required by this directive;
3. Define necessary actions required to enable prompt response to actions
required by this directive;
4. Establish internal validation and enforcement procedures to ensure
adherence with this Directive; and
5. Set internal tracking and reporting requirements to evaluate adherence
with this Directive and provide reporting to CISA, as needed.
2. Remediate each vulnerability according to the timelines set forth in the
CISA-managed vulnerability catalog. The catalog will list exploited
vulnerabilities that carry significant risk to the federal enterprise with
the requirement to remediate within 6 months for vulnerabilities with a
Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and
within two weeks for all other vulnerabilities. These default timelines may
be adjusted in the case of grave risk to the Federal Enterprise.
3. Report on the status of vulnerabilities listed in the repository. In line
with requirements for the Continuous Diagnostics and Mitigation (CDM)
Federal Dashboard deployment and OMB annual FISMA memorandum requirements,
agencies are expected to automate data exchange and report their respective
Directive implementation status through the CDM Federal Dashboard. Initially
agencies may submit quarterly reports through CyberScope submissions or
report through the CDM Federal Dashboard. Starting on October 1, 2022,
agencies that have not migrated reporting to the CDM Federal Dashboard will
be required to update their status through CyberScope bi-weekly.
CISA ACTIONS
1. Maintain the catalog of known exploited vulnerabilities
at cisa.gov/known-exploited-vulnerabilities-catalog and alert agencies of
updates for awareness and action.
2. CISA will publish the thresholds and conditions for including and adding
vulnerabilities to the catalog
at cisa.gov/known-exploited-vulnerabilities-catalog.
3. As necessary following the issuance of this Directive, CISA will review this
Directive to account for changes in the general cybersecurity landscape and
consider issuing Supplemental Direction to incorporate additional
vulnerability management best practices for federal information systems.
4. Annually, by the end of each fiscal year, provide a status report to the
Secretary of Homeland Security, the Director of the Office of Management and
Budget (OMB), and the National Cyber Director identifying cross-agency
status and outstanding issues in implementation of this Directive.
FREQUENTLY ASKED QUESTIONS
WHAT IS THE DIFFERENCE BETWEEN VULNERABILITIES LISTED IN THE NATIONAL
VULNERABILITY DATABASE (NVD) AND THOSE IN CISA’S CATALOG OF KNOWN EXPLOITED
VULNERABILITIES (KEVS)?
The NVD lists all publicly known vulnerabilities with a Common Vulnerabilities
and Exposures (CVE) ID assigned. The NVD database currently includes more than
160,000 unique CVEs, and is constantly growing. Each vulnerability is scored
based on several factors, including impact and ease of execution. However, the
Common Vulnerability Scoring System (CVSS) base score does not account for if
the vulnerability is actually being used to attack systems. Our experts have
observed that attackers do not rely only on “critical” vulnerabilities to
achieve their goals; some of the most widespread and devastating attacks have
included multiple vulnerabilities rated “high”, “medium”, or even “low”. This
methodology, known as “chaining”, uses lower score vulnerabilities to first gain
a foothold, then exploit additional vulnerabilities to escalate privilege on an
incremental basis.
Also, many vulnerabilities classified as “critical” are highly complex and have
never been seen exploited in the wild - in fact, less than 4% of the total
number of CVEs have been publicly exploited. But threat actors are extremely
fast to exploit their vulnerabilities of choice: of those 4% of known exploited
CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75%
within 28 days.
WHAT IS MORE IMPORTANT TO REMEDIATE FIRST – CRITICAL AND HIGH OR KNOWN EXPLOITED
VULNERABILITIES?
Known exploited vulnerabilities should be the top priority for remediation.
Based on a study of historical vulnerability data dating back to 2019, less than
4% of all known vulnerabilities have been used by attackers in the wild. Rather
than have agencies focus on thousands of vulnerabilities that may never be used
in a real-world attack, BOD 22-01 shifts the focus to those vulnerabilities that
are active threats. CISA acknowledges CVSS scoring can still be a part of an
organization’s vulnerability management efforts, especially with
machine-to-machine communication and large-scale automation. Keep in mind that
this Directive is intended to help agencies prioritize their remediation work;
it does not release them from any of their compliance obligations, including the
resolution of other vulnerabilities.
WITH EXTENDED TELEWORK, MOST OF OUR WORKSTATIONS ARE REMOTE AND HARD TO UPDATE,
DOES CISA HAVE ANY RECOMMENDATIONS FOR UPDATING ROAMING AND NOMADIC DEVICES?
Recent increases in teleworking have amplified these issues and made updating
and securing remote and roaming devices more challenging. CISA has published
a Capacity Enhancement Guide on Remote Patch and Vulnerability Management to
help agencies better manage their remote devices.
HOW OFTEN WILL CISA ADD NEW VULNERABILITIES TO THE CATALOG?
CISA adds new vulnerabilities to the catalog when our team identifies a
vulnerability that meets the following conditions:
* Has an assigned Common Vulnerabilities and Exposures (CVE) ID.
* There is reliable evidence that the vulnerability has been actively exploited
in the wild.
* There is a clear remediation action for the vulnerability, such as a vendor
provided update.
We expect that the number of Known Exploited Vulnerabilities will expand over
time, because there is a significant increase in the number of new CVEs each
year. This is due both to the increase in the number and capabilities of threat
actors and the greater scrutiny being performed by security researchers.
WHAT’S THE DIFFERENCE BETWEEN A HIGH OR CRITICAL CVE AND A KNOWN EXPLOITED
VULNERABILITY (KEV)?
CVEs are currently scored under the CVSS system, which does not take into
consideration whether a vulnerability has ever been used to exploit a system in
the wild. Many CVEs with high and critical CVSS scores are very complex, may
require special conditions or permissions, and have only been demonstrated in
labs. Known Exploited Vulnerabilities (KEVs) are a subset of CVEs which have
been used to compromise systems in the real world.
AREN’T AGENCIES ALREADY REQUIRED TO UPDATE ALL CVES? WHAT’S THE POINT OF
CREATING A NEW UPDATING REQUIREMENT? SHOULD MY ORGANIZATION STILL USE CVSS FOR
PRIORITIZATION?
Agencies are not required to update all CVE’s. To be effective, vulnerability
management programs must take active threats into consideration. CISA encourages
all stakeholders to leverage the CISA catalog of known exploited vulnerabilities
and to prioritize these vulnerabilities for immediate remediation. CISA
acknowledges CVSS scoring should still be a part of an organization’s
vulnerability management efforts, especially with machine-to-machine
communication and large-scale automation.
WHEN AFFECTED ASSETS CANNOT BE UPDATED PER VENDOR RECOMMENDATIONS, ARE THERE
ALTERNATIVE MITIGATION ACTIONS AVAILABLE?
Aside from removing affected assets from the network, the only known technical
mitigation to these vulnerabilities is to apply the required actions listed in
the catalog. If these actions cannot be accomplished within the required
timeframe, you must remove the asset from the agency network. An asset that
cannot be updated, is most likely a legacy unsupported asset with very high
operational uptime requirements.
Isolation is a form of removal from the network that minimizes direct access to
critical software, critical software platforms, and associated data. Depending
on your security and network architectures, this strategy can be highly
effective at stopping threats against vulnerable devices. Organizations need to
be prepared to implement isolation methods when needed and to undo the isolation
after applying the necessary patch(es) in order to restore regular device access
and functionality. Depending on your environment, appropriate isolation
techniques may include decommissioning, removal of the vulnerable software
product, network segmentation, isolation, software-defined perimeters, and
proxies.
WHY MIGHT A KEV NOT YET BE LISTED IN THE NATIONAL VULNERABILITY DATABASE (NVD)?
Sometimes third-party organizations release advisories about a CVE ID before
details on that CVE are published in the CVE list. A CVE will not be available
in the NVD if it has a status of reserved. You can
check https://cve.mitre.org/cve/search_cve_list.html(link is external) to
confirm whether the CVE is in “reserved” status.
A CVE Record is marked as “reserved” when it has been reserved for use by a CVE
Numbering Authority (CNA) or security researcher, but the details of it are not
yet published by the CNA. Reserved is the initial state for a CVE Record.
A CVE Record can change from the "reserved" state to being published at any time
based on a number of factors both internal and external to the CVE List. Once
the CVE Record is published with details on the CVE List, it will become
available in the NVD. As one of the final steps in the process, the NVD Common
Vulnerability Scoring System (CVSS) scores for the CVE Records are assigned by
the NIST NVD team (https://www.cve.org/ResourcesSupport/FAQs(link is external)).
HOW DO WE LEVERAGE CISA PROVIDED TOOLS TO HELP FIND CVES IN THE KEV CATALOG?
In December 2021, CDM released specialized visualizations and dashboards that
clearly identify known exploited vulnerabilities to federal agencies. This is
provided by having the CDM dashboard enrich agency vulnerability reporting using
the KEV/BOD feed that CISA maintains. This ensures that when new KEVs are
updated in the CISA repository, that it is automatically provided to the CDM
platform and can be tagged within the CDM reporting process without any manual
intervention of the end user. CDM had previously implemented a “heightened”
vulnerability flag for scenarios such as this called the “Federal Vulnerability
Action” (FVA), going forward this flag is exclusively used to mirror the KEVs to
ensure functionality parity going forward.
These features are available to any agency that has an operational CDM Agency
Dashboard that is being fed vulnerability information from CDM tools and
sensors. For more detailed information please reach out to your CDM portfolio
team.
The CISA Cyber Hygiene (CyHy) team is currently working on adding the capability
to highlight KEVs in the weekly Vulnerability Scanning reports as well as to
send out ad-hoc alerts within 24 hours of a KEV being newly detected on an
agency asset. Please keep in mind that CyHy VS is only able to detect
vulnerabilities from outside your network, so CVEs that require internal access
or credentials to detect will not be found in your CyHy VS reports, even if that
CVE may exist on your network.
WILL CISA APPROVE A WAIVER IF OUR AGENCY FACES SEVERE DIFFICULTY IMPLEMENTING A
SPECIFIC PATCH?
CISA does not issue waivers or exceptions for actions required in cyber
directives. Please let CISA (CyberDirectives@cisa.dhs.gov(link sends email))
know any special use cases as soon as possible so that we can work with your
agency to understand the challenge, the options for mitigation, and estimated
remediation timeframe.
HOW WILL CISA ENCOURAGE CLOUD SERVICE PROVIDERS (CSPS) TO COMMIT TO DOING THEIR
PART TO PATCH THESE KEVS? HOW SHOULD AGENCIES REPORT VULNERABILITIES IN FEDERAL
INFORMATION SYSTEMS HOSTED IN THIRD-PARTY ENVIRONMENTS (SUCH AS THE CLOUD)?
CISA is working closely with FedRAMP to coordinate the response to this
Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP
Authorized CSPs have been informed to coordinate with their agency customers.
CISA is also aware of third parties providing services for federal information
systems subject to this Directive that may not be covered by a FedRAMP
authorization.
Each agency is responsible for inventorying all their information systems hosted
in third-party environments (FedRAMP Authorized or otherwise) and contacting
service providers directly for status updates pertaining to, and to ensure
compliance with, this Directive.
If instances of affected versions have been found in a third-party environment,
reporting and remediation obligations will vary based on the type of the service
provided and whether the provider is another federal agency or a commercial
provider.
For reporting purposes:
* If the affected third-party service provider is another federal entity, the
agency providing the service is responsible for submitting status reports
under this Directive to CISA. The agency receiving the service may not have
any further reporting obligation for that specific system.
* If the affected third-party service provider is a commercial provider
(FedRAMP Authorized or otherwise), the service provider must report the
status of outstanding vulnerabilities to the agency receiving the service.
The agency receiving the service is then responsible for any reporting
required by this Directive. Agencies remain responsible for engaging their
service providers directly, as needed, to ensure compliance with this
Directive.
HOW DID CISA DETERMINE ACTIVE EXPLOITATION?
CISA primarily receives exploitation information directly from security vendors,
researchers, and partners. CISA also obtains exploitation information through
U.S. Government and international partners, via open-source research performed
by CISA analysts, and through third-party subscription services.
When informed of active exploitation directly by a security vendor, security
researcher, or partner (including U.S. and international government agencies),
CISA meets with the reporting entity to discuss the exploitation evidence. CISA
adds the reported actively exploited vulnerabilities to the KEV catalog,
provided they meet BOD 22-01 requirements. Exploited vulnerabilities CISA
uncovers through incident response efforts are also added to the KEV catalog.
CISA analysts perform daily open-source searches for vulnerabilities. Active
exploitation information obtained from vendor security advisories are trusted
sources and considered accurate. When cybersecurity news outlets, academic
papers, cybersecurity company press releases (not from the affected vendor),
etc., report active exploitation, CISA reviews wording and original source
citations for the exploitation for accuracy and reliability. If the information
is reliable, CISA adds the vulnerability to the KEV catalog; if CISA does not
consider the information 100% accurate, CISA does not add the vulnerability to
the KEV catalog (however, CISA internally notes the vulnerability and will add
it to the catalog should further exploitation evidence come to light that
justifies its inclusion).
CISA also has purchased subscription services for threat intelligence platforms
that contain information on vulnerabilities, including honeypot detection,
malware observations in the wild, threat intelligence reports, etc. Similar to
the open-source research procedures, CISA reviews the information from the
platforms and adds the vulnerability to the KEV catalog, if the information is
reliable.
HOW QUICKLY DOES CISA UPDATE THE KEV CATALOG AFTER A NEW IN-SCOPE VULNERABILITY
IS IDENTIFIED?
CISA updates the KEV catalog within 24 hours of known exploitation evidence.
THERE IS AN OLDER CVE BEING ADDED TO THE KEV CATALOG. IS CISA SEEING AN ACTIVE
EXPLOITATION FOR IT?
Addition of a vulnerability to the KEV catalog does not indicate that CISA is
observing current active exploitation. If there is accurate reporting of active
exploitation, any vulnerability, despite its age, can qualify for KEV catalog
addition.
WHY ARE OLD CVES AND/OR END-OF-LIFE PRODUCTS BEING ADDED TO THE KEV CATALOG?
CISA does not assume that all running legacy products are fully patched. CISA
also does not assume that all end-of-life products have been decommissioned.
The absence of evidence of exploitation currently occurring does not preclude a
vulnerability from being exploited in the future. If an actor is targeting your
network and you have a vulnerable legacy product, they may use that
vulnerability to their advantage.
IS THERE A POC AVAILABLE? OR WE DON’T SEE A POC FOR THIS VULNERABILITY.
Although the percentage of listed vulnerabilities with PoCs may be high, an
available PoC is not a requirement for addition to the KEV catalog.
A VULNERABILITY IN THE KEV CATALOG HAS A SPECIFIC VENDOR AND PRODUCT LISTED.
HOWEVER, THIS PRODUCT IS EMBEDDED INTO A THIRD-PARTY PRODUCT PROVIDED BY A
DIFFERENT SECURITY VENDOR AND THEY DID NOT PROVIDE A PATCH. HOW SHOULD I
PROCEED?
CISA provides the original vendor and product attached to a particular
vulnerability along with the original vendor-provided patch. If your environment
contains a third-party product from a different security vendor, you will need
to contact that vendor directly to obtain the patch.
A PLUG-IN AND/OR OUR RESEARCH SHOWS A DIFFERENT VENDOR/PRODUCT FOR THIS CVE ID
THAN WHAT IS LISTED ON THE KEV CATALOG. WHAT IS THE CORRECT PRODUCT TO PATCH?
CISA aims to publish the most up-to-date information available when adding a
vulnerability to the KEV catalog; however, for some products, it is difficult to
determine where the vulnerability resides. If multiple products are attributed
to the same CVE ID, CISA recommends that, where applicable, users patch all
associated products with that CVE ID.
DOES CISA EVER REMOVE ENTRIES FROM THE KEV CATALOG?
CISA will only remove a vulnerability if the vendor’s security update for that
vulnerability causes a significant unforeseen issue with greater impact than the
vulnerability itself. Once the vendor resolves the issue, the vulnerability will
be restored to the catalog.
HOW CAN I USE THE KEV CATALOG AT MY ORGANIZATION?
CISA recommends organizations use the KEV catalog in conjunction with a
vulnerability scoring framework that evaluate exploitation status, such as the
Stakeholder Specific Vulnerability Categorization (SSVC) model. Doing so will
help inform decisions about prioritizing vulnerability management activities.
Active exploitation of a vulnerability is a widely accepted risk factor and
should be considered in vulnerability management activities. Organizations
should also consider using automated vulnerability and patch management tools
that automatically incorporate and flag or prioritize KEV vulnerabilities.
Examples of such tools include CISA's cyber hygiene services, Palo Alto Networks
Cortex, Tenable Nesses, Runecast, Qualsys VMDR, Wiz, Rapid 7 InsightVM, and
Rapid7 Nexpose. Organizations with additional tools that are incorporating KEV
vulnerabilities can be added to this list by
emailing CISA.JCDC@CISA.DHS.GOV(link sends email).
The KEV catalog can play a role in your vulnerability management program but
should not be the only factor. It can serve as a great starting point if you do
not yet have a vulnerability management program in place. CISA strongly
recommends organizations have updated asset inventory information to best
determine the software and hardware products that are currently in your
environment and to identify the KEV catalog vulnerabilities that directly affect
your organization.
WHY IS THE KEV MISSING A VULNERABILITY I'VE SEEN EXPLOITATION FOR?
Reliable evidence of exploitation in the wild is only one of the criteria needed
to add a vulnerability to the KEV. A vulnerability must also have a CVE ID and
clear remediation guidance. As a reminder, the KEV is part of a risk-reduction
action for federal civilian executive branch agencies as defined in BOD-22-01
(Binding Operational Directive 22-01 | CISA). This directive establishes a
CISA-managed catalog of known exploited vulnerabilities that carry significant
risk to the federal enterprise. Organizations or individuals with information
about an exploited vulnerability not currently listed on the KEV are encouraged
to contact us at vulnerability@cisa.dhs.gov(link sends email).
WHAT ARE THE CRITERIA FOR A VULNERABILITY BEING ADDED TO THE KEV?
As prescribed by BOD-22-01 (Binding Operational Directive 22-01 | CISA), the KEV
is a list of vulnerabilities that federal executive civilian branch agencies are
required to patch on an accelerated timeline. There are three criteria for
adding a vulnerability to the KEV: (1) a CVE ID; (2) clear remediation guidance,
and (3) reliable evidence of exploitation in the wild.
IS THE KEV THE ONLY LIST OF VULNERABILITIES THAT I NEED TO WORRY ABOUT?
No. The KEV catalog sends a clear message to all organizations to prioritize
remediation efforts on the subset of vulnerabilities that are causing immediate
harm based on adversary activity. However, we do not recommend exclusive use of
the KEV catalog as the only criterion on which organizations triage
vulnerabilities. Organizations should use the KEV catalog as an input to their
vulnerability management prioritization framework. CISA recommends using
vulnerability management frameworks such as the Stakeholder-Specific
Vulnerability Categorization (SSVC) to triage vulnerabilities using decision
points appropriate to your organization. The state of exploitation is one such
recommended decision point, and the KEV is an important source of relevant
information.
RESOURCES AND CONTACT INFORMATION
* General information, assistance, and reporting
– cyberdirectives@cisa.dhs.gov(link sends email)
* Click here for CISA managed catalog of known exploited vulnerabilities
* Click here to sign up for automatic alerts when new vulnerabilities are added
to the catalog(link is external)
TAGS
Topics
Cybersecurity Best Practices
RELATED DIRECTIVES
Jun 13, 2023
BOD 23-02: IMPLEMENTATION GUIDANCE FOR MITIGATING THE RISK FROM INTERNET-EXPOSED
MANAGEMENT INTERFACES
Jun 13, 2023
BOD 23-02: MITIGATING THE RISK FROM INTERNET-EXPOSED MANAGEMENT INTERFACES
Oct 03, 2022
BOD 23-01: IMPLEMENTATION GUIDANCE FOR IMPROVING ASSET VISIBILITY AND
VULNERABILITY DETECTION ON FEDERAL NETWORKS
Oct 03, 2022
BOD 23-01: IMPROVING ASSET VISIBILITY AND VULNERABILITY DETECTION ON FEDERAL
NETWORKS
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
CISA Central 888-282-0870 central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback