What government agencies need to know about CISA’s new Binding Operational Directive

The Cybersecurity and Infrastructure Security Agency (CISA) is reinforcing the nation’s cybersecurity efforts by announcing a new Binding Operational Directive (BOD) related to common vulnerabilities and exposures. Also referred to as CVEs, these publicly disclosed flaws in software open doors that attackers are able to exploit at alarming rates: the FBI’s Internet Crime Complaint Center noted in its 2020 report that the department saw a massive 69% increase in suspected cybercrime complaints from 2019 to 2020. Getting ahead of this worrisome trend, BOD 22-01 is set to play a role in shaping how the United States government addresses nearly 300 known software security flaws and handles the cyber threats we’re faced with today. “Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types,” the BOD states. “These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.” It’s a widespread problem that all organizations creating and maintaining web apps need to pay attention to. In 2020 alone, 2 out of every 5 data breaches originated from web applications, and the number of records compromised in attacks rose by an alarming 141%. Applications with gaps in security coverage can be low-hanging fruit for threat actors to pluck while organizations are focused on their mission-critical apps. This is why continuously scanning every single application is so important, especially for federal agencies dealing with highly sensitive information daily.

New guidelines and timelines for federal agencies to follow

As outlined by the new directive, establishing a catalog of known flaws and laying out requirements for remediation is a step towards reducing the significant cybersecurity risk posed to federal agencies and, ultimately, the American people’s security and privacy. Serving as an enhancement to BOD 19-02, which focuses on critical and high-risk vulnerabilities in internet-facing federal information systems, BOD 22-01 specifies required actions that agencies must take within 60 days:

• Review and update their vulnerability management processes following this new directive.
• Establish a remediation process for identified vulnerabilities using the CISA-managed catalog.
• Assign employees to specific roles and responsibilities that will help execute agency plans.
• Define the steps they need to take to complete the actions outlined in the directive
• Set in place procedures for internal validation and enforcement of the directive’s guidelines.
• Establish internal tracking and reporting guidance for transparency and adherence.

The BOD also requires that agencies remediate these vulnerabilities and report their progress in accordance with timelines set by the CISA catalog, with a target of six months for CVE IDs assigned before 2021 and a mere two weeks for all other vulnerabilities. However, the BOD notes that these timelines may shift in unique cases of extreme risk that require much faster remediation efforts.

Improving software security through automation and integration

The challenge for government agencies and organizations of all sizes is to implement consistent web application security testing across all of their environments and worldwide locations. That means there’s no one-size-fits-all approach for minimizing software security risks. But there are tools and automated solutions that help agencies find their footing; with more than 15 years of focused experience in application security (AppSec), Invicti knows what it takes for agencies to meet federal compliance regulations. Web applications present an ever-growing attack vector. Government agencies must stay agile to cover their software against common web vulnerabilities in the CISA catalog as threats emerge and evolve. Our dynamic analysis (DAST) and interactive analysis (IAST) solutions enable vulnerability testing to find flaws in web apps as part of a continuous process and accelerate the mitigation of security issues across all web applications. Extensive automation and integration capabilities make the adoption of security into existing workflows that much easier. Invicti’s application scanning tools set government agencies and enterprise organizations up for success with features like Proof-Based Scanning, which provides accurate confirmation of vulnerabilities that are directly exploitable by threat actors. Invicti’s application security testing solutions are faster than traditional methods and eliminate manual rework, which is crucial to improving security posture quickly and meeting federal compliance needs. Systematic testing is key, as noted by the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity which underscores the need to employ “automated tools or comparable processes'' to maintain supply chain security, check for vulnerabilities regularly, and ensure the integrity and security of applications. By scanning within the CI/CD pipeline, agencies can foster an effective DevSecOps environment that improves the quality of security assessments and enables faster remediation processes to find and fix these common flaws before they become costly headaches. Learn more about how Invicti helps close security gaps in web applications to help organizations stay on top of federal mandates and guidelines.