www.cisa.gov
Open in
urlscan Pro
2a02:26f0:7100:1b8::447a
Public Scan
URL:
https://www.cisa.gov/binding-operational-directive-22-01
Submission: On April 04 via api from US — Scanned from DE
Submission: On April 04 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://search.us-cert.gov/search
<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-xs searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-desktop" name="affiliate" type="hidden" value="cisa">
<div class="form-group"><label class="sr-only" for="query-desktop">Enter Search Terms(s):</label>
<div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-desktop" name="query" placeholder="Search" type="text">
<div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" src="/sites/default/files/cisa/search-icon.png" title="search icon"></button></div>
</div>
</div>
</form>GET https://search.us-cert.gov/search
<form accept-charset="UTF-8" action="https://search.us-cert.gov/search" class="hidden-lg hidden-md searchbox" method="get"><input name="utf8" type="hidden" value="✓"><input id="affiliate-mobile" name="affiliate" type="hidden" value="cisa">
<div class="form-group"><label class="sr-only" for="query-mobile">Enter Search Terms(s):</label>
<div class="input-group"><input autocomplete="off" class="form-control form-control-custom input-lg" id="query-mobile" name="query" placeholder="Search" type="text">
<div class="input-group-addon input-group-addon-custom"><button class="submit input-lg"><img alt="search icon" src="/sites/default/files/cisa/search-icon.png" title="search icon"></button></div>
</div>
</div>
</form>Text Content
Skip to main content
An official website of the United States government
Here's how you know
* EMAIL US(link sends email)
* CONTACT
* SITE MAP
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share
sensitive information only on official, secure websites.
Enter Search Terms(s):
--------------------------------------------------------------------------------
Toggle navigation
Enter Search Terms(s):
CISA NAVIGATION
*
*
*
*
*
*
--------------------------------------------------------------------------------
TLP:WHITE
TLP:WHITE
1. Cybersecurity >
2. Directives >
3. Binding Operational Directive 22-01
DIRECTIVES
* Binding Operational Directive 15-01 (Revoked)
* Binding Operational Directive 16-01 (Revoked)
* Binding Operational Directive 16-02
* Binding Operational Directive 16-03
* Binding Operational Directive 17-01
* Binding Operational Directive 18-01
* Binding Operational Directive 18-02
* Binding Operational Directive 19-02
* Binding Operational Directive 20-01
* Binding Operational Directive 22-01
* Emergency Directive 19-01
* Emergency Directive 20-02
* Emergency Directive 20-03
* Emergency Directive 20-04
* Emergency Directive 21-01
* Emergency Directive 21-02
* Emergency Directive 21-03
* Emergency Directive 21-04
* Emergency Directive 22-02
* Agencies
BINDING OPERATIONAL DIRECTIVE 22-01- REDUCING THE SIGNIFICANT RISK OF KNOWN
EXPLOITED VULNERABILITIES
--------------------------------------------------------------------------------
November 3, 2021
This page contains a web-friendly version of the Cybersecurity and
Infrastructure Security Agency’s Binding Operational Directive 22-01 - Reducing
the Significant Risk of Known Exploited Vulnerabilities.
A binding operational directive is a compulsory direction to federal, executive
branch, departments and agencies for purposes of safeguarding federal
information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the
Department of Homeland Security (DHS) to develop and oversee the implementation
of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
These directives do not apply to statutorily defined “national security systems”
nor to certain systems operated by the Department of Defense or the Intelligence
Community.
Expand All Sections
BACKGROUND
The United States faces persistent and increasingly sophisticated malicious
cyber campaigns that threaten the public sector, the private sector, and
ultimately the American people’s security and privacy. The federal government
must improve its efforts to protect against these campaigns by ensuring the
security of information technology assets across the federal enterprise.
Vulnerabilities that have previously been used to exploit public and private
organizations are a frequent attack vector for malicious cyber actors of all
types. These vulnerabilities pose significant risk to agencies and the federal
enterprise. It is essential to aggressively remediate known exploited
vulnerabilities to protect federal information systems and reduce cyber
incidents.
This directive establishes a CISA-managed catalog of known exploited
vulnerabilities that carry significant risk to the federal
enterprise https://cisa.gov/known-exploited-vulnerabilities and establishes
requirements for agencies to remediate any such vulnerabilities included in the
catalog. CISA will determine vulnerabilities warranting inclusion in the catalog
based on reliable evidence that the exploit is being actively used to exploit
public or private organizations by a threat actor. This directive enhances but
does not replace BOD 19-02, which addresses remediation requirements for
critical and high vulnerabilities on internet-facing federal information systems
identified through CISA’s vulnerability scanning service.
SCOPE
This directive applies to all software and hardware found on federal information
systems managed on agency premises or hosted by third parties on an agency’s
behalf. These required actions apply to any federal information system,
including an information system used or operated by another entity on behalf of
an agency, that collects, processes, stores, transmits, disseminates, or
otherwise maintains agency information.
REQUIRED ACTIONS
1. Within 60 days of issuance, agencies shall review and update agency internal
vulnerability management procedures in accordance with this Directive. If
requested by CISA, agencies will provide a copy of these policies and
procedures. At a minimum, agency policies must:
a. Establish a process for ongoing remediation of vulnerabilities that CISA
identifies, through inclusion in the CISA-managed catalog of known exploited
vulnerabilities, as carrying significant risk to the federal enterprise
within a timeframe set by CISA pursuant to this directive;
b. Assign roles and responsibilities for executing agency actions as
required by this directive;
c. Define necessary actions required to enable prompt response to actions
required by this directive;
d. Establish internal validation and enforcement procedures to ensure
adherence with this Directive; and
e. Set internal tracking and reporting requirements to evaluate adherence
with this Directive and provide reporting to CISA, as needed.
2. Remediate each vulnerability according to the timelines set forth in the
CISA-managed vulnerability catalog. The catalog will list exploited
vulnerabilities that carry significant risk to the federal enterprise with
the requirement to remediate within 6 months for vulnerabilities with a
Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and
within two weeks for all other vulnerabilities. These default timelines may
be adjusted in the case of grave risk to the Federal Enterprise.
3. Report on the status of vulnerabilities listed in the repository. In line
with requirements for the Continuous Diagnostics and Mitigation (CDM)
Federal Dashboard deployment and OMB annual FISMA memorandum requirements,
agencies are expected to automate data exchange and report their respective
Directive implementation status through the CDM Federal Dashboard. Initially
agencies may submit quarterly reports through CyberScope submissions or
report through the CDM Federal Dashboard. Starting on October 1, 2022,
agencies that have not migrated reporting to the CDM Federal Dashboard will
be required to update their status through CyberScope bi-weekly.
CISA ACTIONS
1. Maintain the catalog of known exploited vulnerabilities
at https://cisa.gov/known-exploited-vulnerabilities and alert agencies of
updates for awareness and action.
2. CISA will publish the thresholds and conditions for including and adding
vulnerabilities to the catalog
at https://cisa.gov/known-exploited-vulnerabilities.
3. As necessary following the issuance of this Directive, CISA will review this
Directive to account for changes in the general cybersecurity landscape and
consider issuing Supplemental Direction to incorporate additional
vulnerability management best practices for federal information systems.
4. Annually, by the end of each fiscal year, provide a status report to the
Secretary of Homeland Security, the Director of the Office of Management and
Budget (OMB), and the National Cyber Director identifying cross-agency
status and outstanding issues in implementation of this Directive.
FREQUENTLY ASKED QUESTIONS
* What is the difference between vulnerabilities listed in the National
Vulnerability Database (NVD) and those in CISA’s catalog of Known Exploited
Vulnerabilities (KEVs)?
* What is more important to remediate first - critical and high or Known
Exploited Vulnerabilities?
* With extended telework, most of our workstations are remote and hard to
patch, does CISA have any recommendations for patching roaming and nomadic
devices?
* How often will CISA add new vulnerabilities to the catalog?
* What’s the difference between a High or Critical CVE and a Known Exploited
Vulnerability (KEV)?
* Aren’t agencies already required to patch against all CVEs? What’s the point
of creating a new patching requirement? Should my organization still use CVSS
for prioritization?
* How should agencies report vulnerabilities in federal information systems
hosted in third-party environments (such as the Cloud)
* This is a comprehensive catalog of vulnerabilities that carry unacceptable
risk to the federal enterprise. Will that information be shared in some
manner with the public and private sector?
WHAT IS THE DIFFERENCE BETWEEN VULNERABILITIES LISTED IN THE NATIONAL
VULNERABILITY DATABASE (NVD) AND THOSE IN CISA’S CATALOG OF KNOWN EXPLOITED
VULNERABILITIES (KEVS)?
The NVD lists all publicly known vulnerabilities with a Common Vulnerabilities
and Exposures (CVE) ID assigned. The NVD database currently includes more than
160,000 unique CVEs, and is constantly growing. Each vulnerability is scored
based on several factors, including impact and ease of execution. However, the
Common Vulnerability Scoring System (CVSS) base score does not account for if
the vulnerability is actually being used to attack systems. Our experts have
observed that attackers do not rely only on “critical” vulnerabilities to
achieve their goals; some of the most widespread and devastating attacks have
included multiple vulnerabilities rated “high”, “medium”, or even “low”. This
methodology, known as “chaining”, uses lower score vulnerabilities to first gain
a foothold, then exploit additional vulnerabilities to escalate privilege on an
incremental basis.
Also, many vulnerabilities classified as “critical” are highly complex and have
never been seen exploited in the wild - in fact, only 4% of the total number of
CVEs have been publicly exploited. But threat actors are extremely fast to
exploit their vulnerabilities of choice: of those 4% of known exploited CVEs,
42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28
days!
WHAT IS MORE IMPORTANT TO REMEDIATE FIRST - CRITICAL AND HIGH OR KNOWN EXPLOITED
VULNERABILITIES?
Known Exploited Vulnerabilities should be the top priority for remediation.
Based on a study of historical vulnerability data to 2019(link is external),
only 4% of the total number of vulnerabilities have been used by attackers in
the wild. Rather than have agencies focus on thousands of vulnerabilities that
may never be used in a real-world attack, BOD 22-01 shifts the focus to those
vulnerabilities that are active threats. CISA acknowledges CVSS scoring should
still be a part of an organization’s vulnerability management efforts,
especially with machine-to-machine communication and large-scale automation.
Keep in mind that this Directive is intended to help agencies prioritize their
remediation work; it does not release them from any of their compliance
obligations, including the resolution of other vulnerabilities.
WITH EXTENDED TELEWORK, MOST OF OUR WORKSTATIONS ARE REMOTE AND HARD TO PATCH,
DOES CISA HAVE ANY RECOMMENDATIONS FOR PATCHING ROAMING AND NOMADIC DEVICES?
Recent increases in teleworking have amplified these issues and made patching
and securing remote and roaming devices more challenging. CISA has published
a Capacity Enhancement Guide on Remote Patch and Vulnerability Management to
help agencies better manage their remote devices.
HOW OFTEN WILL CISA ADD NEW VULNERABILITIES TO THE CATALOG?
CISA will add new vulnerabilities to the catalog when our team identifies a
vulnerability that meets the following conditions:
* Has an assigned Common Vulnerabilities and Exposures (CVE) ID.
* There is reliable evidence that the vulnerability has been actively exploited
in the wild.
* There is a clear remediation action for the vulnerability, such as a vendor
provided update.
Based on historical data, we anticipate that less than 4% of the total number of
vulnerabilities identified in a calendar year will be escalated to the Known
Exploited Vulnerability (KEV) catalog. We expect that the number of KEVs will
expand annually, because there is a significant increase in the number of new
CVEs each year. This is due both to the increase in the number and capabilities
of threat actors and the greater scrutiny being performed by security
researchers.
WHAT’S THE DIFFERENCE BETWEEN A HIGH OR CRITICAL CVE AND A KNOWN EXPLOITED
VULNERABILITY (KEV)?
CVEs are currently scored under the CVSS system, which does not take into
consideration whether a vulnerability has ever been used to exploit a system in
the wild. Many CVEs with high and critical CVSS scores are very complex, may
require special conditions or permissions, and have only been demonstrated in
labs. Known Exploited Vulnerabilities (KEVs) are a subset of CVEs which have
been used to compromise systems in the real world. Known Exploited
Vulnerabilities are real threats that are being leveraged against systems right
now.
AREN’T AGENCIES ALREADY REQUIRED TO PATCH AGAINST ALL CVES? WHAT’S THE POINT OF
CREATING A NEW PATCHING REQUIREMENT? SHOULD MY ORGANIZATION STILL USE CVSS FOR
PRIORITIZATION?
Agencies are not required to patch all CVEs. To be effective, vulnerability
management programs must take active threats into consideration. CISA encourages
all stakeholders to leverage the CISA catalog of known exploited vulnerabilities
and to prioritize these vulnerabilities for immediate remediation. CISA
acknowledges CVSS scoring should still be a part of an organization’s
vulnerability management efforts, especially with machine-to-machine
communication and large-scale automation.
HOW SHOULD AGENCIES REPORT VULNERABILITIES IN FEDERAL INFORMATION SYSTEMS HOSTED
IN THIRD-PARTY ENVIRONMENTS (SUCH AS THE CLOUD)?
CISA is working closely with FedRAMP to coordinate the response to this
directive with FedRAMP Authorized cloud service providers (CSPs). CISA is also
aware of third parties providing services for federal information systems
subject to this directive that may not be covered by a FedRAMP authorization.
Each agency is responsible for maintaining an inventory of its information
systems hosted in third-party environments (FedRAMP Authorized or otherwise) and
working with service providers directly for status updates pertaining to, and to
ensure compliance with, this Directive.
For reporting purposes:
* If the affected third-party service provider is another federal entity, the
agency providing the service is responsible for submitting status reports
under this Directive to CISA. The agency receiving the service may not have
any further reporting obligation for that specific system.
* If the affected third-party service provider is a commercial provider
(FedRAMP Authorized or otherwise), the service provider must report the
status of outstanding vulnerabilities to the agency receiving the service.
The agency receiving the service is then responsible for any reporting
required by this Directive. Agencies remain responsible for engaging their
service providers directly, as needed, to ensure compliance with this
Directive.
THIS IS A COMPREHENSIVE CATALOG OF VULNERABILITIES THAT CARRY UNACCEPTABLE RISK
TO THE FEDERAL ENTERPRISE. WILL THAT INFORMATION BE SHARED IN SOME MANNER WITH
THE PUBLIC AND PRIVATE SECTOR?
CISA maintains the inventory of vulnerabilities that carry unacceptable risk to
the federal enterprise
at https://cisa.gov/known-exploited-vulnerabilities-catalog and will alert
agencies and its partners of updates for awareness and action, including all
mitigation timelines.
We strongly encourage every organization to sign up for notifications of updates
to the CISA catalog and remediate all the vulnerabilities it lists.
RESOURCES AND CONTACT INFORMATION
* General information, assistance, and reporting
– cyberdirectives@cisa.dhs.gov(link sends email)
* Click here for CISA managed catalog of known exploited vulnerabilities
* Click here to sign up for automatic alerts when new vulnerabilities are added
to the catalog
Was this webpage helpful? Yes | Somewhat | No
Cybersecurity & Infrastructure Security Agency
CONTACT SUBSCRIBE
REPORT(link sends email)
Need CISA’s help but don’t know where to start? Contact CISA Central(link sends
email)
Accountability Privacy Policy FOIA No Fear Act Accessibility Plain
Writing Plug-ins Inspector General DHS The White House USA.gov