CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. The directive contains a public catalog of vulnerabilities known to be exploited in the wild and requires US federal agencies to patch affected systems within specific time frames. The lists include vulnerabilities from products such as Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and others. For vulnerabilities disclosed this year (CVE codes of CVE-2021-*****), the Directive requires US federal civilian agencies to apply patches by November 17, 2021. Older vulns must be patched by May 3, 2022. Experts with Gurucul, SecurityGate & YouAttest offer perspective.