Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes

The U.S. Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities can be useful not only for helping organizations patch high-risk vulnerabilities in their systems, but also to help them build or improve vulnerability management processes.

The U.S. Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities can be useful not only for helping organizations patch high-risk vulnerabilities in their systems, but also to help them build or improve vulnerability management processes.

When CISA announced the Known Exploited Vulnerabilities Catalog in November, it listed roughly 300 security holes. Another 50 vulnerabilities have been added to the list since its launch.

CISA has confirmed for SecurityWeek that all vulnerabilities included in the catalog have been exploited in real world attacks, even if in some cases there do not appear to be any public reports of malicious exploitation.

The launch of the list was accompanied by Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to identify and address known exploited vulnerabilities within defined timeframes — newer flaws need to be patched within two weeks while older issues must be fixed within six months.

CISA Known Exploited Vulnerabilities CatalogBOD 22-01 also requires agencies to report on the status of vulnerabilities listed in the repository.

CISA told SecurityWeek that formal reporting will begin in the coming weeks, but the cybersecurity agency has clarified that those who fail to meet the deadlines are not penalized.

“CISA works with agencies on an ongoing basis to help them understand cyber directive requirements, ensure they are making progress based on the timelines set, and identify and resolve any potential challenges they may face,” explained a CISA spokesperson.

“Agencies are required by federal law to comply with CISA directives,” they added. “In cases where an agency does not fully comply within a required timeframe, CISA works closely with senior agency leadership to address any constraints and ensure prompt adherence.”

Hank Schless, senior manager of security solutions at mobile security firm Lookout, noted that non-compliance with the BOD “could be detrimental to the organization, its customers or users, and our national security.”

On the other hand, Schless said, “It’s encouraging to see that CISA is willing to work with those organizations that are having difficulty complying rather than penalizing them. If there’s a legitimate reason that certain groups can’t manage all of these vulnerabilities in their infrastructure, it’s better to help them get it resolved versus putting them on the chopping block. This type of collaboration makes everyone safer, and more broadly across the cybersecurity industry this type of cooperative work has proven to make both public and private sector organizations more secure.”

CISA said agencies have taken action to ensure compliance with the directive, and also pointed out that many are not only working to patch the exploited vulnerabilities, but also building a new vulnerability management process.

“Actions to remediate these known exploited vulnerabilities build on years of tremendous work by the federal government and are part of a broader effort to enable federal agencies, as well as public and private sector organizations, to improve vulnerability management practices and dramatically reduce their exposure to cyberattacks,” CISA told SecurityWeek.

Alex Iftimie, co-chair of Morrison & Foerster’s Global Risk and Crisis Management group, believes that “success has to be measured not just by cleaning house on previously identified vulnerabilities, but by creating a repeatable process to inventory software in your environment, stay on top of newly disclosed vulnerabilities, and patch vulnerabilities within agreed-upon timeframes.”

Alan Brill, senior managing director with Kroll’s Cyber Risk practice, said an effective strategy for organizations is to balance investment in vulnerability management, threat intelligence, and detection and response capabilities.

“[Organizations] need to be able to detect, identify, and prioritize critical vulnerabilities based on their own digital footprint, as well as confidently respond. Striking this balance will minimize potential damage caused by attackers, regardless of how they got in,” Brill explained.

According to Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, the fact that agencies are working on building new vulnerability management processes is “exactly the right focus.”

“In the long run having more automation and process around vulnerability remediation provides better protection and resiliency against future cyber threats,” Broomhead told SecurityWeek. “This emphasis makes sure that meeting the CISA BOD’s requirements is not a ‘one and done’, but instead leads to more efficient and ongoing cyber protection to remediate all cyber vulnerabilities.”

Tal Morgenstern, co-founder and CPO at cyber risk management company Vulcan Cyber, believes both public and private organizations “must follow CISA’s lead now and dedicate meaningful resources into improving vulnerability management program maturity with the objective to drive risk mitigation outcomes.”

John Slye, federal market analyst at project management solutions provider Deltek, said CISA’s catalog of known exploited vulnerabilities can have both operational and financial impacts on government contractors.

On one hand, these contractors will need to work with agencies and supply chain vendors to ensure that the requirements of the BOD are met, and they might need to make changes to contracts or service level agreements and the operational cost of compliance might need to be absorbed by the contractor.

On the other hand, Slye pointed out, “the elements of CISA’s directive that require agencies to review and improve their internal vulnerability management procedures and remediation processes may spur some new business opportunities for contractors that specialize in these areas. Agencies look to these companies for help in upping their game and these opportunities may increase in parallel with the number and scope of cybersecurity directives that are issued.”

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...