Skip to content

A Step in the Right Direction – Binding Operation Directive 22-01

On November 3rd, 2021, the Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01, a compulsory direction with the goal of systematizing and standardizing vulnerability remediation across federal agencies except for defined “national security systems” and “certain systems operated by the Department of Defense or Intelligence Community.”

This new directive requires agencies to update vulnerability management procedures, remediate cataloged vulnerabilities according to the set timeline, and to report on the status of each cataloged vulnerability. Agencies were given two weeks to address specified exploits identified in 2021, and six months for exploits identified before 2021.

New vulnerabilities will be added to the Known Exploited Vulnerabilities catalog as CISA identifies a vulnerability that has been assigned a Common Vulnerabilities and Exposures ID, there is reliable evidence that the vulnerability has been exploited, and there is a clear path to remediation for the vulnerability. 4% of all vulnerabilities annually are expected to be added to the catalog as most vulnerabilities are not exploited in the wild. CISA hopes to shift “the focus to those vulnerabilities that are active threats.”

While BOD 22-01 only applies to specified federal agencies, CISA hopes that local, state, and private entities will use the KEV catalog to inform their remediation procedures. TOPIA is uniquely positioned to assist organizations of all sizes and industries to remediate the most critical threats to their unique digital infrastructures because TOPIA prioritizes vulnerabilities based on context. Just as CISA now recognizes that it’s functionally impossible to remediate every CVE and the CVSS system is limited in its effectiveness, TOPIA has curtailed its reliance on these outdated methodologies from the outset. When it comes to prioritizing vulnerabilities, context is king.

More information regarding the CVSS system and CVEs can be found in previous articles:

Scoring Security Vulnerabilities: Introducing CVSS for CVEs

Understanding CVSS Scores

What’s the Difference between CVSS and CVE

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About vRx
vRx is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.