3 Experts- CISA Requires Agencies To Patch Known Exploited Vulnerabilities

By   ISBuzz Team
Writer , Information Security Buzz | Nov 04, 2021 01:31 pm PST


CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. The directive contains a public catalog of vulnerabilities known to be exploited in the wild and requires US federal agencies to patch affected systems within specific time frames. The lists include vulnerabilities from products such as Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and others. For vulnerabilities disclosed this year (CVE codes of CVE-2021-*****), the Directive requires US federal civilian agencies to apply patches by November 17, 2021. Older vulns must be patched by May 3, 2022. Experts with Gurucul, SecurityGate & YouAttest offer perspective.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Garret F. Grajek
InfoSec Expert
November 4, 2021 9:35 pm

<p>CISA\’s  Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, is a great service to the security community. The fact that the broad ranging document includes product from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM and others shows how far reaching the problem is. And also how addressing just the individual components, though necessary, is a losing game. The fact that the vulnerabilities exist in practically all the resources infers to security personnel that an overall methodology must be in place to mitigate an attack that could come from anywhere.</p>
<p>The commonly accepted new methodology is Zero Trust – where each \"leg\" in the system has to confirm the identity of the requesting party. In a zero trust system identities and informational requests need to be constantly validated in each step of the process. Identity attestation to ensure the principle of least privilege PR.AC-6 is also imperative in a zero-trust system.</p>

Last edited 1 year ago by Garret F. Grajek
Bill Lawrence
Bill Lawrence , CISO
InfoSec Expert
November 4, 2021 9:34 pm

<p>CISA continues to impress with its focus on defending government networks and systems by executing on the basics of cyber “blocking and tackling”. It is disappointing that it takes a Binding Operational Directive for US Federal departments and agencies to implement critical patches, but kudos to CISA for recognizing this issue and using its authorities to enforce action. There was quite a bit of controversy back in 2017 with a similar directive for Kaspersky products, but this action is a no-brainer.  Let’s see if it migrates to quarterly in 2022 rather than annually.</p>

Last edited 1 year ago by Bill Lawrence
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
November 4, 2021 9:33 pm

<p>Patching software and operating systems should be at the top of the IT priority list. Now CISA is stepping in, directing government agencies to apply all patches by November 17. Patching can be a complicated process, in that patches should be tested in the production environment first but should take precedence over less critical activities.</p>
<p>Too many organizations think patching software is optional, and doesn’t have to be done immediately. It’s refreshing to see that CISA has listed a comprehensive list of known vulnerabilities along with relevant patches. Every organization, even those outside of the government, should obtain this list and use it to check their own patch programs.</p>

Last edited 1 year ago by Saryu Nayyar

Recent Posts

Would love your thoughts, please comment.x