The United States Cybersecurity and Infrastructure Security Agency (CISA) has made it compulsory that all parts of the federal government quickly patch against known vulnerabilities.
CISA's Binding Operative Directive 22-01 sets out that agencies must establish a remediation process for identified vulnerabilities, and ensure they have roles and responsibilites to do so.
Agencies are required to remediate vulnerabilities listed in a CISA-managed vulnerability catalogue.
Several highly-publicised bugs are listed in the catalogue, including the one in the Accellion File Transfer Application that was used to breach the Reserve Bank of New Zealand and NSW Health.
The catalogue lists over 400 vulnerabilities presently.
Flaws with Common Vulnerabilities and Exposures (CVE) identifiers assigned prior to this year must be remediated within six months.
All other vulnerabilities must be patched within two weeks, a deadline that could be shortened if the flaws are serious enough.
Reporting of patching against vulnerabilities will also be mandatory for government agencies.
CISA will also provide a report to the US Secretary of Homeland Security, the Director of Office Management and Budget, and the National Cyber Security Director on the status of the patching effort.
A rise in exploited vulnerabilities with agencies being slow to patch against them is the reason for the CISA directive.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
Private AI vs Public AI: How your organisation can securely adopt AI without compromise and excessive cost
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
