On June 10, the Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 26-04 on Prioritizing Security Updates Based on Risk and the accompanying Implementation Guidance. In releasing the BOD and Implementation Guidance, CISA noted that the documents are “part of CISA’s response to the current threat landscape” and the impact of AI on the volume of identified security vulnerabilities and compressed timelines for remediation as threat actors move quickly to exploit them. While the BOD and Implementation Guidance apply to agencies, CISA Acting Director Nick Anderson noted in the release of the documents that “CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy.”
The BOD and Implementation Guidance apply to federal agency assets in a federal information system—a system used or operated by an agency or by another entity on behalf of an agency—that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. Although the BOD is directed to federal agencies, contractors that operate federal information systems should monitor agency implementation. The BOD states that it does not apply directly to contractors unless required by the governing contract, but also directs agencies to review contracts to determine what modifications may be necessary to comply with the directive. Contractors and cloud service providers therefore may see these requirements reflected in contract terms or in FedRAMP requirements in the future. The BOD requires agencies to, for example:
- Review and update agency vulnerability management policies to include certain specified information, such as establishing a process for ongoing remediation of vulnerabilities that CISA identifies through the Known Exploited Vulnerabilities (KEV) Catalog, clear roles and responsibilities, validation and enforcement procedures, and internal tracking and reporting requirements.
- Continue Cyber Hygiene scanning and update the agency’s exposed IPs and domain names quarterly.
- Remediate vulnerabilities as quickly as possible, and no later than the timelines in the directive, which range from 3 to 60 days, depending on the vulnerability.
- Implement asset management measures, including continuous identification and tagging of all agency-owned assets that can be reached from outside the agency network and using a routable IP address.
The BOD also includes proposed remediation timelines to “effectively prioritiz[e] high-risk vulnerabilities for timely action, while deferring action against low-risk vulnerabilities.” Remediation urgency is based on the following four factors:
- Asset Exposure: Is the vulnerable asset publicly exposed?
- KEV Status: Is the vulnerability, as identified by a common vulnerabilities and exposures identifier (CVE ID), on CISA’s Known Exploited Vulnerabilities Catalog?
- Exploit Automation: Is an adversary able to automate all the steps necessary to exploit the vulnerability?
- Technical Impact: Does an adversary gain partial control or total control of the vulnerable asset after exploitation of the vulnerability?
Depending on the response to these four questions, the proposed remediation timelines are set forth in the table below from the BOD:
Table 1: Remediation Timelines
The BOD emphasizes that these timelines are dynamic as facts change, and remediation measures (such as removing a system from the internet) can shift the required timeline. Notably, the BOD states that the references to “forensic triage” indicate that the agency must also “carry out a forensic triage of the asset to assess whether the system is compromised.” On the other end of the spectrum, the “fix on system upgrade” timeline is described as remediating a vulnerability “the next time the vulnerable asset receives a scheduled major upgrade or rebuild.”
The Implementation Guidance provides additional recommended best practices for executing prompt vulnerability response, including:
- Scoping: Within 2 hours of CISA adding a CVE to the KEV catalog, identify whether the vulnerability meets the remediation threshold in fewer than three days and requires forensic triage to assess whether the system or network infrastructure has been impacted or compromised. If so, activate the appropriate response team, scope the bounds of the potential incident, and establish out-of-band communications that do not rely on potentially compromised infrastructure.
- Preserve and Collect Evidence: Within 2-24 hours of KEV addition, prioritize preserving and collecting volatile data, which includes any data stored in memory or existing in transit that will be lost when the computer is powered off.
- Critical Patching and Stabilization: Within 2-24 hours of KEV addition, collect all required evidence and then apply critical available patches.
- Contain and Control: Within 6-24 hours of KEV addition, begin containment of in-scope systems and network infrastructure, ensuring coordination with evidence containment to avoid destroying vital evidence prematurely or alerting the threat actor while documenting actions taken.
- Triage Analysis: Within 24-48 hours of KEV addition, begin evidence analysis to identify unauthorized access to systems, accounts, or data; threat actor access or presence; lateral movement from the initial access vector; persistence mechanisms; and data staging and/or exfiltration.
- Escalation Decision: Within 48-72 hours of KEV addition, produce a forensic triage report covering information gathered and actions taken, including an incident timeline; timeline of actions taken in response to a vulnerability notification and triage actions; technical findings; containment and mitigation efforts; and recommended next steps.