CISA issued a new directive on Wednesday that forces federal civilian agencies to remediate at least 306 vulnerabilities commonly exploited during attacks. CISA officials emphasized that the catalog was focused on vulnerabilities they said were “causing harm now” but would also be used as a running list of prioritized vulnerabilities based on their evolving understanding of adversary activity.
Each of the vulnerabilities has a different due date attached to them, with some due to be mitigated by November 17 and others set for May 3, 2022.
Binding Operational Directive (BOD) 22-01 — titled “Reducing the Significant Risk of Known Exploited Vulnerabilities” — applies to all of the software and hardware found on federal information systems, according to the release. That includes vulnerabilities affecting both internet-facing and non-internet facing assets as well as those managed on an agency’s premises or hosted by third parties on an agency’s behalf.
They urged private businesses and state, local, tribal and territorial governments specifically to address the vulnerabilities in the list and sign up to get notifications when new vulnerabilities are added.
CISA Director Jen Easterly said that while the directive only applies to federal civilian agencies, all organizations should “prioritize mitigating vulnerabilities listed on our public catalog, which