Skip to content

Navigating (and Responding) to the Federal Binding Operational Directive 22-01

    
Navigating (and Responding) to the Federal Binding Operational Directive 22-01

The Directive

Just over two weeks ago, on November 3rd, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security, issued a binding directive that instructed Federal agencies to fix hundreds of known vulnerabilities in their networks, and fix them by specified dates. It’s the first time the Federal government has issued such an order, known as Federal Binding Operational Directive 22-01. The directive covers all hardware and software, both internet-facing and non-internet-facing, on any Federal system, whether it’s on-premises or hosted by a third party. 

“CISA’s latest Binding Operational Directive, which requires federal agencies to patch more than 250 vulnerabilities that are currently being exploited by our adversaries, will go a long way towards strengthening network security and improving our federal cyber hygiene,” said Rep. Jim Langevin, chairman of the House Armed Services Cyber, Innovative Technologies and Information Systems Subcommittee. 

Vulnerabilities in Scope

A comprehensive catalog of identified exposures and vulnerabilities was released along with the directive. The catalog included scores of high or critical risk items directly related to systems and services being used by the government — and that are being actively exploited in the wild. At this point you might be thinking: “I don’t work for the government, and my company doesn’t work on government contracts. Why should I be concerned about Federal Binding Operational Directive 22-01?” The answer is: because very soon Federal Binding Operational Directive 22-01 will be coming to you. 

“There is absolutely no question that this list of CVEs will be taken up by private companies in the weeks and months ahead,” said David Linder, Chief Information Security Officer, Contrast Security. “Because it isn’t just government systems that cyber criminals are exploiting through these exposures. Everyone is at risk, and everyone will eventually need to be protected.”

This is no small task, and obviously no single security vendor is capable of delivering solutions for every one of the vulnerabilities cited in the directive. Multiple techniques and product offerings will be needed to address such a wide range of potential exposures.  

Responding to the Directive

As a first step, it would be wise for any impacted enterprise to consider adding application runtime protection as part of a comprehensive program to identify key vulnerabilities and block them from attack. This will allow application security teams extra time to prioritize fixes, and make decisions on how to block attacks on older systems whose data will eventually be migrated elsewhere before the legacy system is retired. 

How should you, as a CISO, respond? First by understanding that there is no one solution for mitigating risk across so many vulnerability types. That said, a CISO should always be looking for ways to mitigate risk, especially in cases where COTS is being used on-premises (Contrast Protect could potentially be of help here). Lastly, it’s important to remember that there will always be a gap of time involved in implementing a patch. A forward-looking strategy for mitigating risk will be needed for that period of time.

See for yourself why our customers are changing the way they approach application security. Click here to schedule an easy, no-commitment web demo of the Contrast Application Security Platform.

Blake Connell, Director, Product Marketing, Contrast Security

Blake Connell, Director, Product Marketing, Contrast Security

An experienced enterprise software product marketer, Blake’s work spans many areas including developer platforms, cloud infrastructure, and advanced security analytics. Blake helps drive customer success by ensuring products get successfully delivered into the marketplace that yield immediate benefit. Currently, Blake is focused on Contrast Protect, which provides application runtime protection and observability.