The Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD) on June 10 that requires federal agencies to rethink their vulnerability management policies.
The directive orders agencies to prioritize patches for vulnerabilities that pose the highest risk, empowering them to defer lower-priority vulnerabilities.
Under the BOD, agencies must evaluate vulnerabilities against four criteria: whether an asset is exposed publicly, whether an attacker can fully automate exploitation, whether exploitation gives an attacker full control of a system, or whether there is evidence of real-world exploitation (i.e., a known exploited vulnerability).
“CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities,” said acting CISA Director Nick Andersen in a press release. “This directive provides clear definitions, timelines, and criteria that enhances transparency, predictability, and agencies’ resource planning to execute more effective vulnerability remediation.”
“While this directive is a mandate for federal agencies, CISA strongly encourages all partners to adopt similar actions in their vulnerability management policy,” Andersen added.
Andersen previewed the directive on June 9 at Axonius’ Adapt in Action event.
The BOD sets timelines for how quickly agencies must remediate a vulnerability, depending on how many of the criteria it meets. For instance, agencies will need to remediate a high-risk vulnerability within three days, while agencies have 60 days for lower-risk vulnerabilities.
In a blog post titled “Patch Smarter, Not Harder” on the directive, the agency said that in an initial analysis at one large civilian agency, only 1% of vulnerability instances would fall into the three-day category. Over 60% could be deferred until the next system upgrade, the agency said.
“This more aggressive tiering of vulnerabilities ensures that the most critical vulnerabilities are addressed first, and more quickly,” wrote Chris Butera, the agency’s acting executive assistant director for cybersecurity, and Jonathan Spring, a senior technical adviser.
CISA noted that cyber threat actors’ use of artificial intelligence (AI) may further narrow the time cyber defenders have to react between patch release and exploitation.
Although Andersen previewed the BOD yesterday, he first announced that CISA would be rolling out the directive at AFCEA’s TechNet Cyber conference in Baltimore on June 3.
At that event, he said that CISA is preparing several initiatives in response to the administration’s new artificial intelligence (AI) executive order – the BOD being one of them.
President Donald Trump signed the AI executive order on June 2. The order asks AI companies to voluntarily submit their advanced AI models to the federal government for testing “up to 30 days before they plan to release such models to other trusted partners.”
It also tasks several agencies – including the Department of Defense, Department of the Treasury, and CISA – with strengthening U.S. cyber defenses to address emerging threats posed by advanced AI capabilities.
The new vulnerability management directive represents one of CISA’s first major actions under that broader effort.