Binding Operational Directive 22-01- Reducing the Significant Risk of Known Exploited Vulnerabilities


November 3, 2021

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

Section 3553(b)(2) of title 44, U.S. Code, authorizes the Secretary of the Department of Homeland Security (DHS) to develop and oversee the implementation of binding operational directives.

Federal agencies are required to comply with DHS-developed directives.

These directives do not apply to statutorily defined “national security systems” nor to certain systems operated by the Department of Defense or the Intelligence Community.

Background

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.

This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise https://cisa.gov/known-exploited-vulnerabilities and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor. This directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

Scope

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Required Actions

  1. Within 60 days of issuance, agencies shall review and update agency internal vulnerability management procedures in accordance with this Directive. If requested by CISA, agencies will provide a copy of these policies and procedures. At a minimum, agency policies must:

    a. Establish a process for ongoing remediation of vulnerabilities that CISA identifies, through inclusion in the CISA-managed catalog of known exploited vulnerabilities, as carrying significant risk to the federal enterprise within a timeframe set by CISA pursuant to this directive;

    b. Assign roles and responsibilities for executing agency actions as required by this directive;

    c. Define necessary actions required to enable prompt response to actions required by this directive;

    d. Establish internal validation and enforcement procedures to ensure adherence with this Directive; and

    e. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.

  2. Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.

  3. Report on the status of vulnerabilities listed in the repository. In line with requirements for the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard deployment and OMB annual FISMA memorandum requirements, agencies are expected to automate data exchange and report their respective Directive implementation status through the CDM Federal Dashboard. Initially agencies may submit quarterly reports through CyberScope submissions or report through the CDM Federal Dashboard. Starting on October 1, 2022, agencies that have not migrated reporting to the CDM Federal Dashboard will be required to update their status through CyberScope bi-weekly.

CISA Actions

  1. Maintain the catalog of known exploited vulnerabilities at https://cisa.gov/known-exploited-vulnerabilities and alert agencies of updates for awareness and action.
  2. CISA will publish the thresholds and conditions for including and adding vulnerabilities to the catalog at https://cisa.gov/known-exploited-vulnerabilities.
  3. As necessary following the issuance of this Directive, CISA will review this Directive to account for changes in the general cybersecurity landscape and consider issuing Supplemental Direction to incorporate additional vulnerability management best practices for federal information systems.
  4. Annually, by the end of each fiscal year, provide a status report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director identifying cross-agency status and outstanding issues in implementation of this Directive.

Frequently Asked Questions

What is the difference between vulnerabilities listed in the National Vulnerability Database (NVD) and those in CISA’s catalog of Known Exploited Vulnerabilities (KEVs)?

The NVD lists all publicly known vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned. The NVD database currently includes more than 160,000 unique CVEs, and is constantly growing. Each vulnerability is scored based on several factors, including impact and ease of execution. However, the Common Vulnerability Scoring System (CVSS) base score does not account for if the vulnerability is actually being used to attack systems.  Our experts have observed that attackers do not rely only on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high”, “medium”, or even “low”. This methodology, known as “chaining”, uses lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.

Also, many vulnerabilities classified as “critical” are highly complex and have never been seen exploited in the wild - in fact, less than 4% of the total number of CVEs have been publicly exploited. But threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days.

What is more important to remediate first – critical and high or known exploited vulnerabilities?

Known exploited vulnerabilities should be the top priority for remediation. Based on a study of historical vulnerability data dating back to 2019 , less than 4% of all known vulnerabilities have been used by attackers in the wild. Rather than have agencies focus on thousands of vulnerabilities that may never be used in a real-world attack, BOD 22-01 shifts the focus to those vulnerabilities that are active threats. CISA acknowledges CVSS scoring can still be a part of an organization’s vulnerability management efforts, especially with machine-to-machine communication and large-scale automation. Keep in mind that this Directive is intended to help agencies prioritize their remediation work; it does not release them from any of their compliance obligations, including the resolution of other vulnerabilities.

With extended telework, most of our workstations are remote and hard to update, does CISA have any recommendations for updating roaming and nomadic devices?

Recent increases in teleworking have amplified these issues and made updating and securing remote and roaming devices more challenging. CISA has published a Capacity Enhancement Guide on Remote Patch and Vulnerability Management to help agencies better manage their remote devices. 

How often will CISA add new vulnerabilities to the catalog?

CISA adds new vulnerabilities to the catalog when our team identifies a vulnerability that meets the following conditions:

  • Has an assigned Common Vulnerabilities and Exposures (CVE) ID.
  • There is reliable evidence that the vulnerability has been actively exploited in the wild.
  • There is a clear remediation action for the vulnerability, such as a vendor provided update.

We expect that the number of Known Exploited Vulnerabilities will expand over time, because there is a significant increase in the number of new CVEs each year. This is due both to the increase in the number and capabilities of threat actors and the greater scrutiny being performed by security researchers.

What’s the difference between a High or Critical CVE and a Known Exploited Vulnerability (KEV)?

CVEs are currently scored under the CVSS system, which does not take into consideration whether a vulnerability has ever been used to exploit a system in the wild. Many CVEs with high and critical CVSS scores are very complex, may require special conditions or permissions, and have only been demonstrated in labs. Known Exploited Vulnerabilities (KEVs) are a subset of CVEs which have been used to compromise systems in the real world.

Aren’t agencies already required to update all CVEs? What’s the point of creating a new updating requirement? Should my organization still use CVSS for prioritization?

Agencies are not required to update all CVE’s. To be effective, vulnerability management programs must take active threats into consideration. CISA encourages all stakeholders to leverage the CISA catalog of known exploited vulnerabilities and to prioritize these vulnerabilities for immediate remediation. CISA acknowledges CVSS scoring should still be a part of an organization’s vulnerability management efforts, especially with machine-to-machine communication and large-scale automation.

When affected assets cannot be updated per vendor recommendations, are there alternative mitigation actions available?

Aside from removing affected assets from the network, the only known technical mitigation to these vulnerabilities is to apply the required actions listed in the catalog. If these actions cannot be accomplished within the required timeframe, you must remove the asset from the agency network. An asset that cannot be updated, is most likely a legacy unsupported asset with very high operational uptime requirements.

Isolation is a form of removal from the network that minimizes direct access to critical software, critical software platforms, and associated data. Depending on your security and network architectures, this strategy can be highly effective at stopping threats against vulnerable devices. Organizations need to be prepared to implement isolation methods when needed and to undo the isolation after applying the necessary patch(es) in order to restore regular device access and functionality. Depending on your environment, appropriate isolation techniques may include decommissioning, removal of the vulnerable software product, network segmentation, isolation, software-defined perimeters, and proxies.

Why might a KEV not yet be listed in the National Vulnerability Database (NVD)?

Sometimes third-party organizations release advisories about a CVE ID before details on that CVE are published in the CVE list. A CVE will not be available in the NVD if it has a status of reserved. You can check https://cve.mitre.org/cve/search_cve_list.html to confirm whether the CVE is in “reserved” status.

A CVE Record is marked as “reserved” when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet published by the CNA. Reserved is the initial state for a CVE Record.

A CVE Record can change from the "reserved" state to being published at any time based on a number of factors both internal and external to the CVE List. Once the CVE Record is published with details on the CVE List, it will become available in the NVD. As one of the final steps in the process, the NVD Common Vulnerability Scoring System (CVSS) scores for the CVE Records are assigned by the NIST NVD team (https://www.cve.org/ResourcesSupport/FAQs).

How do we leverage CISA provided tools to help find CVEs in the KEV Catalog?

In December 2021, CDM released specialized visualizations and dashboards that clearly identify known exploited vulnerabilities to federal agencies.  This is provided by having the CDM dashboard enrich agency vulnerability reporting using the KEV/BOD feed that CISA maintains. This ensures that when new KEVs are updated in the CISA repository, that it is automatically provided to the CDM platform and can be tagged within the CDM reporting process without any manual intervention of the end user. CDM had previously implemented a “heightened” vulnerability flag for scenarios such as this called the “Federal Vulnerability Action” (FVA), going forward this flag is exclusively used to mirror the KEVs to ensure functionality parity going forward.

These features are available to any agency that has an operational CDM Agency Dashboard that is being fed vulnerability information from CDM tools and sensors. For more detailed information please reach out to your CDM portfolio team.

The CISA Cyber Hygiene (CyHy) team is currently working on adding the capability to highlight KEVs in the weekly Vulnerability Scanning reports as well as to send out ad-hoc alerts within 24 hours of a KEV being newly detected on an agency asset. Please keep in mind that CyHy VS is only able to detect vulnerabilities from outside your network, so CVEs that require internal access or credentials to detect will not be found in your CyHy VS reports, even if that CVE may exist on your network.

Will CISA approve a waiver if our agency faces severe difficulty implementing a specific patch?

CISA does not issue waivers or exceptions for actions required in cyber directives. Please let CISA (CyberDirectives@cisa.dhs.gov) know any special use cases as soon as possible so that we can work with your agency to understand the challenge, the options for mitigation, and estimated remediation timeframe.

How will CISA encourage Cloud Service Providers (CSPs) to commit to doing their part to patch these KEVs? How should agencies report vulnerabilities in federal information systems hosted in third-party environments (such as the Cloud)?

CISA is working closely with FedRAMP to coordinate the response to this Directive with FedRAMP Authorized cloud service providers (CSPs). FedRAMP Authorized CSPs have been informed to coordinate with their agency customers. CISA is also aware of third parties providing services for federal information systems subject to this Directive that may not be covered by a FedRAMP authorization.

Each agency is responsible for inventorying all their information systems hosted in third-party environments (FedRAMP Authorized or otherwise) and contacting service providers directly for status updates pertaining to, and to ensure compliance with, this Directive.

If instances of affected versions have been found in a third-party environment, reporting and remediation obligations will vary based on the type of the service provided and whether the provider is another federal agency or a commercial provider.

For reporting purposes:

  • If the affected third-party service provider is another federal entity, the agency providing the service is responsible for submitting status reports under this Directive to CISA. The agency receiving the service may not have any further reporting obligation for that specific system.
  • If the affected third-party service provider is a commercial provider (FedRAMP Authorized or otherwise), the service provider must report the status of outstanding vulnerabilities to the agency receiving the service. The agency receiving the service is then responsible for any reporting required by this Directive. Agencies remain responsible for engaging their service providers directly, as needed, to ensure compliance with this Directive.

How did CISA determine Active Exploitation?

CISA primarily receives exploitation information directly from security vendors, researchers, and partners. CISA also obtains exploitation information through U.S. Government and international partners, via open-source research performed by CISA analysts, and through third-party subscription services.

When informed of active exploitation directly by a security vendor, security researcher, or partner (including U.S. and international government agencies), CISA meets with the reporting entity to discuss the exploitation evidence. CISA adds the reported actively exploited vulnerabilities to the KEV catalog, provided they meet BOD 22-01 requirements. Exploited vulnerabilities CISA uncovers through incident response efforts are also added to the KEV catalog.

CISA analysts perform daily open-source searches for vulnerabilities. Active exploitation information obtained from vendor security advisories are trusted sources and considered accurate. When cybersecurity news outlets, academic papers, cybersecurity company press releases (not from the affected vendor), etc., report active exploitation, CISA reviews wording and original source citations for the exploitation for accuracy and reliability. If the information is reliable, CISA adds the vulnerability to the KEV catalog; if CISA does not consider the information 100% accurate, CISA does not add the vulnerability to the KEV catalog (however, CISA internally notes the vulnerability and will add it to the catalog should further exploitation evidence come to light that justifies its inclusion). 

CISA also has purchased subscription services for threat intelligence platforms that contain information on vulnerabilities, including honeypot detection, malware observations in the wild, threat intelligence reports, etc. Similar to the open-source research procedures, CISA reviews the information from the platforms and adds the vulnerability to the KEV catalog, if the information is reliable. 

How quickly does CISA update the KEV catalog after a new in-scope vulnerability is identified?

CISA updates the KEV catalog within 24 hours of known exploitation evidence.

There is an older CVE being added to the KEV catalog. Is CISA seeing an active exploitation for it?

Addition of a vulnerability to the KEV catalog does not indicate that CISA is observing current active exploitation. If there is accurate reporting of active exploitation, any vulnerability, despite its age, can qualify for KEV catalog addition.

Why are old CVEs and/or end-of-life products being added to the KEV catalog?

CISA does not assume that all running legacy products are fully patched. CISA also does not assume that all end-of-life products have been decommissioned. 

The absence of evidence of exploitation currently occurring does not preclude a vulnerability from being exploited in the future. If an actor is targeting your network and you have a vulnerable legacy product, they may use that vulnerability to their advantage.

Is there a PoC available? OR We don’t see a PoC for this vulnerability.

Although the percentage of listed vulnerabilities with PoCs may be high, an available PoC is not a requirement for addition to the KEV catalog. 

A vulnerability in the KEV catalog has a specific vendor and product listed. However, this product is embedded into a third-party product provided by a different security vendor and they did not provide a patch. How should I proceed?

CISA provides the original vendor and product attached to a particular vulnerability along with the original vendor-provided patch. If your environment contains a third-party product from a different security vendor, you will need to contact that vendor directly to obtain the patch.

A plug-in and/or our research shows a different vendor/product for this CVE ID than what is listed on the KEV catalog. What is the correct product to patch?

CISA aims to publish the most up-to-date information available when adding a vulnerability to the KEV catalog; however, for some products, it is difficult to determine where the vulnerability resides. If multiple products are attributed to the same CVE ID, CISA recommends that, where applicable, users patch all associated products with that CVE ID.

Does CISA ever remove entries from the KEV catalog?

CISA will only remove a vulnerability if the vendor’s security update for that vulnerability causes a significant unforeseen issue with greater impact than the vulnerability itself. Once the vendor resolves the issue, the vulnerability will be restored to the catalog.

How can I use the KEV catalog at my organization?

CISA recommends organizations use the KEV catalog in conjunction with a vulnerability scoring framework that evaluate exploitation status, such as the Stakeholder Specific Vulnerability Categorization (SSVC) model. Doing so will help inform decisions about prioritizing vulnerability management activities. Active exploitation of a vulnerability is a widely accepted risk factor and should be considered in vulnerability management activities. Organizations should also consider using automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities. Examples of such tools include CISA's cyber hygiene services, Palo Alto Networks Cortex, Tenable Nesses, Runecast, Qualsys VMDR, Wiz, Rapid 7 InsightVM, and Rapid7 Nexpose. Organizations with additional tools that are incorporating KEV vulnerabilities can be added to this list by emailing CISA.JCDC@CISA.DHS.GOV.

The KEV catalog can play a role in your vulnerability management program but should not be the only factor. It can serve as a great starting point if you do not yet have a vulnerability management program in place. CISA strongly recommends organizations have updated asset inventory information to best determine the software and hardware products that are currently in your environment and to identify the KEV catalog vulnerabilities that directly affect your organization. 
 

 

Resources and Contact Information

Was this webpage helpful?  Yes  |  Somewhat  |  No