BOD 22-01 requires a new approach to vulnerability management

Public sector organizations need full lifecycle vulnerability management to meet the requirements of Binding Directive BOD 22–01. With attack surface visibility and exposure management, organizations can better prioritize vulnerability remediation.

Public sector organizations face unique challenges managing their security posture

The fact that 2021 saw record-breaking new vulnerabilities and witnessed prolific threat actors such as the Lapsus$ cybercriminal collective causing devastating damage is a warning to organizations everywhere.

Cybercrime spares no country or organization, a reminder to U.S. public sector organizations, which face unique challenges in defending against cyber risk. The most affected organizations have multiple physical locations and hybrid and multi-cloud environments.

These challenges point to the need for full lifecycle vulnerability management, which can be especially difficult to navigate due to a lack of visibility and context across the entire attack surface. Having siloed, fragmented and decentralized environments and disparate teams, systems, and technologies especially restrict an organization’s view and ability to identify and address exposures, placing them at varying levels of risk.

Compounding these challenge, U.S. public sector organizations must adhere to government mandates such as the Security Technical Implementation Guide (STIG) configuration standards and the Binding Operational Directive BOD-22-01 issued by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), which require remediating a prioritized list of known and exploited vulnerabilities within aggressive timelines.

These mandates represent a complex undertaking, especially given the shortage of specialized cybersecurity resources and talent for cyber risk management.

What the binding operational directive means for public sector agencies

Binding Operational Directive BOD 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities was issued by the Cybersecurity and Infrastructure Security Agency (CISA) to federal and executive branch departments and agencies to ensure that federal information and systems are protected from cyber-attacks. Because the Department of Homeland Security (DHS) is authorized to develop and oversee the implementation of Binding Directives, federal agencies are required to comply with this Directive.1

The Directive outlines numerous required actions for federal agencies:

  1. Within 60 days, agencies must review and update their vulnerability management policies and procedures according to the Directive, and, if requested, provide a copy of these policies and procedures, detailing the following:
    1. A process for ongoing remediation of vulnerabilities identified in CISA’s catalog of known exploited vulnerabilities within a time period set by CISA;
    2. Roles and responsibilities assigned for executing the Directive’s required actions;
    3. Necessary actions to respond promptly to the Directive’s required actions;
    4. Internal validation and enforcement procedures to ensure compliance with the Directive; and
    5. Internal tracking and reporting requirements to evaluate compliance with the Directive and provide reporting to CISA, as needed.
  2. Agencies must remediate each vulnerability according to the timelines in CISA’s vulnerability catalog, which are within 6 months for vulnerabilities designated as Common Vulnerabilities and Exposures (CVE) prior to 2021 (currently totaling 655) and within two weeks for all other vulnerabilities.

Agencies must report on the status of the vulnerabilities listed and are expected to automate data exchange and report their Directive implementation status through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.1

Meet BOD 22-01 requirements: Prioritize the most dangerous, exposed vulnerabilities first

Clearly, meeting the requirements of this Directive can become a tremendous undertaking for federal agencies, especially as the unique CVEs could represent millions of vulnerability occurrences across an agency’s complex IT estate.

When there are so many vulnerabilities occurring at the same time, it is imperative to focus on the vulnerabilities that are most exposed to potential attack. Skybox Security’s unique four-step prioritization and risk scoring methodology analyzes data derived through exposure analysis, CVSS severity, importance of the asset, and the exploitability of the vulnerability. This insight helps agencies comply with BOD-22-01 and prioritize remediation efforts by focusing on the vulnerability occurrences that could be most harmful. Network-based compensating controls, such as IPS signatures or firewall rule modification reduce the risk of imminent attacks, giving security teams the time needed to plan and deploy patches or update software.

To get comprehensive visibility of the continuously evolving attack surface as well as comply with this Directive, federal agencies need a solution that enables them to visualize and analyze hybrid, multi-cloud, and OT networks, gaining full context and understanding of their attack surface. Our Security Posture Management Platform does this and is the only platform that does.


Reduce compliance and vulnerability risks in the public sector

Manage your attack surface, adopt a Zero Trust approach, and comply with BOD 22-01 with the Skybox Security Posture Management Platform.

How the Skybox Security Posture Management Platform helps federal agencies comply with Binding Directive 22-01

With the Skybox platform, federal agencies can easily adhere to the required actions of Binding Operational Directive 22-01, as well as benefit from cost savings, efficiency, and overall risk reduction. They will attain visibility and context across the entire expanding attack surface, save on operating expenses by avoiding non-compliance penalties, reduce risk through prioritized vulnerability remediation and gain time for patch deployment through network-based compensating controls.


Assess cyber risk, gain insight, make smart cybersecurity decisions

Take a risk-based approach to cybersecurity. Reduce cyber risk and out-maneuver cybercriminals with complete context and understanding of your attack surface.

  1. Binding Operational Directive 22-01 Reducing the Significant Risk of Known Exploited Vulnerabilities, CISA, November 3, 2021 –