DHS CISA Binding Operational Directive 22-01 Report

On November 3rd, 2021, CISA issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities establishing a CISA managed catalog of known exploited vulnerabilities and requires federal civilian agencies to identify and remediate these vulnerabilities on their information systems. Tenable.sc allows organizations to quickly summarize and track specific vulnerabilities to ensure proper discovery and mitigation.  This report showcases progress in mitigation of these vulnerabilities to allow organizations to ensure a reduced attack surface.

The DHS site says:

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. Aggressively remediating known exploited vulnerabilities is essential to protect federal information systems and reduce cyber incidents.

Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise  and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor. This directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

The CISA Known Exploited Vulnerabilities Catalog defined the vulnerabilities to be address by November 17th, 2021 (BOD 22-01). Tenable.sc assists the CISO in identifying actions needed to mitigate these vulnerabilities along with others identified in past due advisories. The CVE’s tracked by CISA in this report are subject to change and new reports will be provided as needed.

Tenable.sc uses active credentialed scanning and/or agent-based scanning to collect information needed to identify known exploitable vulnerabilities. Allowing the risk manager to work with asset owners to establish an ongoing remediation action plan, which demonstrate compliance with this directive.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Threat Detection & Vulnerability Assessments.

The report requirements are: 

• Tenable.sc 5.19.1
• Nessus 8.15.2

Risk-based vulnerability management (RBVM) is a process that reduces vulnerabilities across the agency's attack surface by prioritizing remediation actions to the risks CISA identifies. Tenable.sc enables the agency to go beyond just discovering vulnerabilities, and provides the life cycle steps to establish internal validation and enforcement procedures that demonstrate adherence with this Directive.

Chapters

Executive Summary: The Executive Summary provides the operations team a quick view into NIA Compliance and Vulnerability Priority Rating (VPR) summary matrices. Using a series of tables and matrices this chapter provides an easy-to-understand view of the current state of the NIA compliance.

Roadblocks Currently Gating Remediation: This chapter tracks the top remediation actions that will have the most impact to resolve the tracked vulnerabilities in your environment and notes any blockers that may exist such as missing rollup packages or configurations requiring registry changes.

Vulnerability and Host Details: The Vulnerability and Host Details chapter includes a table that displays a full list of missing patches that need to be applied to remediate all the tracked vulnerabilities and the impacted hosts.