The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk, that requires federal civilian agencies to assess and align their vulnerability management policies to reduce cybersecurity risk across four criteria: Asset Exposure, Known Exploited Vulnerabilities (KEV) Status, Exploit Automation, and Post-Exploitation Technical Impact. The Directive consolidates, clarifies and updates the urgency of vulnerability remediation, focuses agencies patching efforts on the highest risk, and enhances efficiency for federal civilian agencies.
Cyber threat actors exploit unpatched vulnerabilities, and their use of AI may further narrow the time defenders have to react between patch release and possible exploitation. Harmonizing and improving BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems, and BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities (KEV), this Directive accounts for the threat actor capability, the asset deployment position on the network, the relative ease of the path to exploit the vulnerability, and the consequences of an exploitation event. These factors provide federal agencies with a comprehensive risk picture to make informed decisions that significantly reduce risk without burdening IT managers with extra processes that do not change outcomes.
“CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities. This Directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” said Acting CISA Director Nick Andersen. “CISA continues our work to transform the federal enterprise to be more resilient to sophisticated and persistent cyber threats. CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change. While this Directive is a mandate for federal agencies, CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy.”
This Directive is part of CISA’s response to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities. CISA adds expectations for when and how to check if a vulnerable system was compromised by a threat actor before the patch was applied. Applying a patch generally does not evict a threat actor. Therefore, judiciously checking for existing compromise is vital to manage risk. In part, this Directive is also CISA’s response to feedback from federal agencies and stakeholders to prioritize vulnerabilities on the KEV catalog.
As outlined in the Executive Order – Promoting Advanced Artificial Intelligence Innovation and Security, this Directive expedites and prioritizes the cyber defense of civilian Federal Government information systems. It is a significant step forward in reducing cybersecurity risk while enhancing efficiency.
As federal civilian agencies implement this directive, CISA will monitor compliance, assess progress and provide support to any agency as required. CISA remains committed to using its cybersecurity authorities to enhance visibility and drive timely risk reduction across the federal enterprise.
The original announcement can be found here.
