The agency warned and ordered the other federal agencies to fix all of them, and submit a quarterly report on the status. CISA said these security vulnerabilities are both internet-facing and offline and can cause serious issues if exploited by a threat actor.

CISA’s Binding Operational Directive

Every year, CISA releases a Binding Operational Directive (BOD) containing various technical vulnerabilities in general systems, used by federal agencies to process the regular works. Since threat actors are actively looking to hit such critical services, CISA warns them to fix them as soon as possible. Related- CISA Urged Discourse Users to Update Immediately For Patching an RCE Bug This year, the BOD 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities) contained about 290 security vulnerabilities (200 from 2017-20 and 90 from 2021). These include both the software and hardware systems (online and offline) from federal civil agencies serving the public.

This establishes priorities for vulnerability management & will help improve Federal Agency vulnerability management practices. pic.twitter.com/CS0hVBU4l4 — Cybersecurity and Infrastructure Security Agency (@CISAgov) November 3, 2021 The end goal here is to make these agencies fix the said vulnerabilities responsibly, thereby keeping the systems and public data safe from any unwanted hacks. CISA said the directive helps not just the federal agencies, but also public/private sector organizations aiding the agencies. Securing them helps in keeping the companies up to date, and improving the vulnerability management practices. Releasing this directive, CISA’s Director Jen Easterly said, All the federal agencies are given 60 days to review and update their internal vulnerability management procedures. And, the fixing of them should be done within two weeks for the vulnerabilities found exploited this year, and six months for vulnerabilities exploited until the end of 2020.

CISA Listed 290 Vulnerabilities Affecting Federal Civil Agencies - 79