CISA issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to evolve our approach to vulnerability management and keep pace with threat activity. The directive establishes a CISA managed catalog of known exploited vulnerabilities and requires federal civilian agencies to identify and remediate these vulnerabilities on their information systems.
Although BOD 22-01 requires action from federal civilian agencies only, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor the catalog and remediate the listed vulnerabilities to strengthen their security and resilience posture. Building collective resilience requires action across all stakeholders.
Thresholds and conditions for catalog updates:
CISA will update this catalog with additional exploited vulnerabilities as they become known, subject to an executive level CISA review and when they satisfy the following thresholds:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor provided update.
To report newly exploited vulnerabilities that are not in this catalog please email CISA Central at firstname.lastname@example.org.
Catalog of Known Exploited Vulnerabilities
Cybersecurity Incident and Vulnerability Response Playbooks
CISA published the Cybersecurity Incident and Vulnerability Response Playbooks that provide federal civilian agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. However, CISA encourages private sector, critical infrastructure entities, and state, local, tribal and territorial governments to review them to take stock of their response processes and procedures. The playbooks are more tools for our federal partners, as well as those in industry, to ensure resilient architectures and systems, and protect against vulnerabilities being exploited.
The Incident Response Playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident has been declared or not yet been reasonably ruled out. Some examples include incidents involving lateral movement, credential access, exfiltration of data; network intrusions involving more than one user or system; or compromised administrator accounts. The playbook includes a checklist for incident response and another for incident response preparation, and both can be adapted for use by organizations outside the federal government.
The Vulnerability Response Playbook applies to any vulnerability that is observed to be used by adversaries to gain unauthorized entry (i.e., known exploited vulnerability) into computing resources. It builds on CISA’s Binding Operational Directive 22-01 by standardizing the high-level process that agencies should follow when responding to these vulnerabilities that pose significant risk across the federal government. This playbook includes a checklist, which can easily be adapted by non-federal organizations, to track appropriate vulnerability response activities in four phases to completion.