CISA directs federal agencies on prioritization of cyber vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive requiring federal agencies to prioritize vulnerabilities based on four specific criteria, aiming to improve the efficiency of patching efforts. This directive is part of a broader initiative to "patch smarter, not harder." The agency's acting director, Nick Andersen, previewed the binding operational directive (BOD) as a significant rethinking of vulnerability management, as reported by CyberScoop.

The new directive, BOD 26-04, mandates that federal agencies focus on vulnerabilities that affect publicly exposed assets, can be fully automated by attackers, allow for complete system control, or show evidence of active exploitation. Agencies must remediate vulnerabilities meeting all four criteria within three days, including a forensic triage. The directive also sets timelines for updating vulnerability management policies, with immediate action required for known exploited vulnerabilities (KEVs) on CISA's "must-patch" list, and 60-day and 180-day deadlines for other remediation processes.

This move is partly influenced by the accelerating pace of vulnerability weaponization due to artificial intelligence. While BODs are mandatory only for federal agencies, CISA encourages private sector adoption, noting that defenders are already struggling to keep pace with the increasing speed of vulnerability discovery and exploitation.

Source: CyberScoop