When you see military tanks in the news, you should be thinking of BOD 22-01, because it is related to those military tanks, AND it directly affects you.
It’s impossible to turn on the news and not see military aggression, often with videos of tanks and fighter aircraft destroying targets and causing massive destruction. What you might not see are what the aggressors are doing behind the scenes in the virtual world… in the world of cyber warfare, you should be paying attention. You might not have a tank pointed at you, but you MAY be next on the list of cyber warfare targets. That’s a lot of what “BOD 22-01” is about. Let’s unpack this.
You may have heard the terms “BOD 22-01” and “CISA KEV” if you’re keeping track of what the US Government is doing to help protect critical computing infrastructure, and you might have some questions about it. Here’s a quick primer on what it is, how it relates to you, and how you can take practical action regarding it.
The United States faces increasingly active persistent and malicious cyber campaigns that target the public and private sectors and are designed to actively destroy the American people’s security, privacy, and ability to function. Think about it – every single critical need for daily life depends on the uninterrupted computing and data capabilities that form the undergirding framework of management of those needs. It’s not just your smartphone. It’s power, water, energy, communications, transport, supply chain, the Cloud… the whole works. The federal government is acting to improve its ability to protect against adversarial campaigns and malicious threat actors by improving the cyber security and hygiene of the IT computing ecosystem used by the federal enterprise. Proven, exploitable vulnerabilities are often used in adversarial campaigns as attack vectors for cyber threat actors, both state-sponsored and private. Therefore, it is imperative to quickly and effectively either mitigate or remediate known exploited vulnerabilities to protect computing infrastructure and reduce the attack surface exposed to cyber threats. That’s what BOD 22-01 is all about, aggressive action to minimize the attack surface of the USA computing ecosystem, and if it’s a critical concern for Uncle Sam, you can be assured it should be one for you, too.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) first announced Binding Operational Directive 22-01 (BOD 22-01) on 3 November 2021. As the name suggests, a binding operational directive is a mandatory and explicit set of instructions given to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems. BOD 22-01 establishes a Known Exploited Vulnerabilities (KEV) catalog which lists vulnerabilities that CISA has identified as being exploited, or that have been used by threat actors. BOD 22-01 instructs Federal Civilian Executive Branch Agencies (FCEB) to remediate these vulnerabilities within a specified timeframe to protect federal infrastructure from cyber-attacks. What that means is that there ARE remediations that apply directly to those KEV. While BOD 22-01 is intended for Federal agencies, a growing number of organizations in the private sector have adopted the list as a guide for their vulnerability remediation programs, and we think that’s wise. In fact, we believe that it will soon become a plenary requirement for all organizations of any size.
CISA recently added 95 new vulnerabilities to the list of KEVs, bringing the total to 663 as of the writing of this article. Your organization should be working to remediate these as soon as possible, and you should first prioritize those that are most likely to be exploited. HCL BigFix has just released a new dashboard that is a breakthrough in reducing the amount of time and resources required to gather up all items in the KEV, link them to the correct content that applies to your specific environment (e.g., eliminating CVEs that don’t apply), and then automating the remediation of these vulnerabilities in the computing environment of virtually any size. By the way, I do NOT use the word “breakthrough” lightly. I ONLY use it if it is 10x better than doing it by other means. We can prove that it will save you MORE than 10x the time and resources to “follow BOD 22-01” for your organization.
As a special bonus, the new BigFix CVE Search Dashboard includes all published KEVs as well as the CVEs associated with the Conti Ransomware attacks as shown below.
So, there you have it. That’s what BOD 22-01 and CISA KEV is, why it’s important to you, why you should do something about it, and how BigFix can help. Stay tuned for more information as we learn more and as we build out more technologies to dramatically increase your Cyber hygiene with less effort.
For more information about the new BigFix CVE Search Dashboard, click here, contact us, or reach out to your BigFix Technical Advisor.
It appears that this is only available if you have the Compliance license. You might want to include that somewher. I went chasing after this dashboard and was 30 minutes into it before I realized it wasn’t part of my purchased licenses.