Binding Operational Directive 22-01
November 3, 2021
Reducing the Significant Risk of Known Exploited Vulnerabilities
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities.
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.
Federal agencies are required to comply with DHS-developed directives.
These directives do not apply to statutorily defined “national security systems” nor to certain systems operated by the Department of Defense or the Intelligence Community.
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.
This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise https://cisa.gov/known-exploited-vulnerabilities and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor. This directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.
This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, agency policies must:
a. Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, as carrying significant risk to the federal enterprise within a timeframe set by CISA pursuant to this directive;
b. Assign roles and responsibilities for executing agency actions as required by this directive;
c. Define necessary actions required to enable prompt response to actions required by this directive;
d. Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
e. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
Report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard. Initially agencies may submit quarterly reports through CyberScope submissions or report through the CDM Federal Dashboard. Starting on October 1, 2022, agencies that have not migrated reporting to the CDM Federal Dashboard will be required to update their status through CyberScope bi-weekly.
- Maintain the catalog of known exploited vulnerabilities at https://cisa.gov/known-exploited-vulnerabilities and alert agencies of updates for awareness and action.
- CISA will publish the thresholds and conditions for including and adding vulnerabilities to the catalog at https://cisa.gov/known-exploited-vulnerabilities.
- As necessary following the issuance of this Directive, CISA will review this Directive to account for changes in the general cybersecurity landscape and consider issuing Supplemental Direction to incorporate additional vulnerability management best practices for federal information systems.
- Annually, by the end of each fiscal year, provide a status report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director identifying cross-agency status and outstanding issues in implementation of this Directive.
Frequently Asked Questions
- What is the difference between vulnerabilities listed in the National Vulnerability Database (NVD) and those in CISA’s catalog of Known Exploited Vulnerabilities (KEVs)?
- What is more important to remediate first - critical and high or Known Exploited Vulnerabilities?
- With extended telework, most of our workstations are remote and hard to patch, does CISA have any recommendations for patching roaming and nomadic devices?
- How often will CISA add new vulnerabilities to the catalog?
- What’s the difference between a High or Critical CVE and a Known Exploited Vulnerability (KEV)?
- Aren’t agencies already required to patch against all CVEs? What’s the point of creating a new patching requirement? Should my organization still use CVSS for prioritization?
- How should agencies report vulnerabilities in federal information systems hosted in third-party environments (such as the Cloud)
- This is a comprehensive catalog of vulnerabilities that carry unacceptable risk to the federal enterprise. Will that information be shared in some manner with the public and private sector?
What is the difference between vulnerabilities listed in the National Vulnerability Database (NVD) and those in CISA’s catalog of Known Exploited Vulnerabilities (KEVs)?
The NVD lists all publicly known vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned. The NVD database currently includes more than 160,000 unique CVEs, and is constantly growing. Each vulnerability is scored based on several factors, including impact and ease of execution. However, the Common Vulnerability Scoring System (CVSS) base score does not account for if the vulnerability is actually being used to attack systems. Our experts have observed that attackers do not rely only on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high”, “medium”, or even “low”. This methodology, known as “chaining”, uses lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.
Also, many vulnerabilities classified as “critical” are highly complex and have never been seen exploited in the wild - in fact, only 4% of the total number of CVEs have been publicly exploited. But threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days!
What is more important to remediate first - critical and high or known exploited vulnerabilities?
Known Exploited Vulnerabilities should be the top priority for remediation. Based on a study of historical vulnerability data to 2019, only 4% of the total number of vulnerabilities have been used by attackers in the wild. Rather than have agencies focus on thousands of vulnerabilities that may never be used in a real-world attack, BOD 22-01 shifts the focus to those vulnerabilities that are active threats. CISA acknowledges CVSS scoring should still be a part of an organization’s vulnerability management efforts, especially with machine-to-machine communication and large-scale automation. Keep in mind that this Directive is intended to help agencies prioritize their remediation work; it does not release them from any of their compliance obligations, including the resolution of other vulnerabilities.
With extended telework, most of our workstations are remote and hard to patch, does CISA have any recommendations for patching roaming and nomadic devices?
Recent increases in teleworking have amplified these issues and made patching and securing remote and roaming devices more challenging. CISA has published a Capacity Enhancement Guide on Remote Patch and Vulnerability Management to help agencies better manage their remote devices.
How often will CISA add new vulnerabilities to the catalog?
CISA will add new vulnerabilities to the catalog when our team identifies a vulnerability that meets the following conditions:
- Has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor provided update.
Based on historical data, we anticipate that less than 4% of the total number of vulnerabilities identified in a calendar year will be escalated to the Known Exploited Vulnerability (KEV) catalog. We expect that the number of KEVs will expand annually, because there is a significant increase in the number of new CVEs each year. This is due both to the increase in the number and capabilities of threat actors and the greater scrutiny being performed by security researchers.
What’s the difference between a High or Critical CVE and a Known Exploited Vulnerability (KEV)?
CVEs are currently scored under the CVSS system, which does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. Many CVEs with high and critical CVSS scores are very complex, may require special conditions or permissions, and have only been demonstrated in labs. Known Exploited Vulnerabilities (KEVs) are a subset of CVEs which have been used to compromise systems in the real world. Known Exploited Vulnerabilities are real threats that are being leveraged against systems right now.
Aren’t agencies already required to patch against all CVEs? What’s the point of creating a new patching requirement? Should my organization still use CVSS for prioritization?
Agencies are not required to patch all CVEs. To be effective, vulnerability management programs must take active threats into consideration. CISA encourages all stakeholders to leverage the CISA catalog of known exploited vulnerabilities and to prioritize these vulnerabilities for immediate remediation. CISA acknowledges CVSS scoring should still be a part of an organization’s vulnerability management efforts, especially with machine-to-machine communication and large-scale automation.
How should agencies report vulnerabilities in federal information systems hosted in third-party environments (such as the Cloud)?
CISA is working closely with FedRAMP to coordinate the response to this directive with FedRAMP Authorized cloud service providers (CSPs). CISA is also aware of third parties providing services for federal information systems subject to this directive that may not be covered by a FedRAMP authorization.
Each agency is responsible for maintaining an inventory of its information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and working with service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.
For reporting purposes:
- If the affected third-party service provider is another federal entity, the agency providing the service is responsible for submitting status reports under this Directive to CISA. The agency receiving the service may not have any further reporting obligation for that specific system.
- If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise), the service provider must report the status of outstanding vulnerabilities to the agency receiving the service. The agency receiving the service is then responsible for any reporting required by this Directive. Agencies remain responsible for engaging their service providers directly, as needed, to ensure compliance with this Directive.
This is a comprehensive catalog of vulnerabilities that carry unacceptable risk to the federal enterprise. Will that information be shared in some manner with the public and private sector?
CISA maintains the inventory of vulnerabilities that carry unacceptable risk to the federal enterprise at https://cisa.gov/known-exploited-vulnerabilities-catalog and will alert agencies and its partners of updates for awareness and action, including all mitigation timelines.
We strongly encourage every organization to sign up for notifications of updates to the CISA catalog and remediate all the vulnerabilities it lists.
Resources and Contact Information
- General information, assistance, and reporting – email@example.com
- Click here for CISA managed catalog of known exploited vulnerabilities
- Click here to sign up for automatic alerts when new vulnerabilities are added to the catalog