GoKawiilThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive, 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies.
The directive aims to reduce the threat of cyberattacks targeting the public sector by requiring agencies to remediate high-risk vulnerabilities within accelerated timeframes, in some cases as little as three days.
CISA says that BOD 20-04 “supersedes and revokes” the older BOD 19-02 and BOD 22-01, introduced in 2019 and 2021, respectively.
The agency says that prioritizing patching is based on four key considerations:
Whether the asset is publicly exposed online Presence of the vulnerability in CISA’s Known Exploited Vulnerabilities (KEV) catalog Whether exploitation can be automated for large-scale attacks Whether exploitation gives attackers partial or total control of a system
Depending on these factors, agencies get deadlines for addressing security vulnerabilities, the shortest period being three days.
For less urgent situations where automated exploitation is not possible or when it only provides partial control, the timeframe is set to two weeks.
Vulnerability remediation timelines
Source: CISA
Scope and implementation
... continue reading