On Nov 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security (DHS), released Binding Operational Directive (BOD) 22-01. It is tend to be high-level and high-impact, and unusually direct to mitigate a specific list of vulnerabilities in a strict time frame.
CISA BOD 22-01 has three lines specific to patching requirements:
- Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog.
- The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within six months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities.
- These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
Overall, this seems to follow patching guidance many commercial entities already use.This catalog is called Known Exploited Vulnerability (KEV) catalog and it is strongly recommends that everyone to review and monitor the catalog and remediate the listed vulnerabilities to strengthen their security and resilience posture.
CISA will update this catalog with additional exploited vulnerabilities as they become known, subject to CISA review and when they satisfy the following thresholds:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor provided update.
cisa-alerts.py |
The simple python script shows the top-n vendors and the top-n products found in the json file. It also can show the Kenna query string on CVE, with overdue and upcoming CVE.
Links:
- https://cyber.dhs.gov/bod/22-01/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/myseq/