CISA Releases Binding Operational Directive with New Requirements for Remediating Critical and High Vulnerabilities

Today, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs issued Binding Operational Directive (BOD) 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, to enhance federal agencies’ coordinated approach to ensuring effective and timely remediation of critical and high vulnerabilities in information systems.  

For the past several years, CISA has worked with federal agencies to identify, prioritize, and remediate critical vulnerabilities, driving a substantial decrease in vulnerabilities over time.  Recent reports from government and industry partners indicate the average time between discovery and exploitation of a vulnerability is decreasing, as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities. CISA released BOD 19-02 to continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems.

BOD 19-02 introduces a shorter mitigation time frame for critical vulnerabilities and a new mitigation time frame for high vulnerabilities, to further reduce the attack surface and risk to federal agency information systems.

CISA’s authority to issue binding directives enables us to set requirements for federal agencies in specific, significant areas of cybersecurity.  While many agencies, based on risk management decisions, may look to exceed the directive’s actions and timelines, BOD 19-02 ensures that all agencies are at least meeting the directive requirements.  CISA encourages all partners, across all sectors, to set similar requirements – whether using the CISA directives or guidance from the National Institute for Standards and Technology (NIST).

CISA continues to dedicate resources to prioritize the remediation of vulnerabilities by issuing weekly reports, developing agency scorecards, sending interagency communications and FAQs, directly engaging federal executives, and encouraging Office of Management and Budget (OMB) actions when resource, budget, and cross-government trends require additional management support.

The federal government must continue to enhance our security posture, reduce risks posed by vulnerable internet-accessible systems, and build upon the success of past initiatives by advancing federal requirements for high and critical vulnerability remediation to further reduce the risk to federal agency information systems.

To view BOD 19-02, Vulnerability Remediation Requirements for Internet-Accessible Systems, please visit .