The Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) ordering federal civilian agencies to patch software and hardware vulnerabilities open to exploit.
The BOD 22-01 includes a list of known network weaknesses posing risks to the federal information systems enterprise and outlines vulnerability management procedures that agency leaders need to review and complete within 60 days, CISA said.
Federal civilian officials are directed to create internal validation and enforcement policies to ensure compliance with the directive and layout tracking and reporting requirements to monitor the progress of their cyber mitigation efforts.
“The directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks,” said CISA Director Jen Easterly.
Agencies were given six months to remediate vulnerabilities made public before 2021 and two weeks to address all other vulnerabilities identified on their networks.