FedRAMP and CISA: What Is Binding Operational Directive 22-01
Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild.
The CVE program recently joined with the Cybersecurity and Infrastructure Security Agency (CISA), which then feeds into new directives for federal agencies and cloud service providers (CSPs). One of these directives, Binding Operational Directive 22-01, establishes this new list and several other requirements for regulated organizations and is trickling down into other security requirements, including FedRAMP.
What is CVE and How Is it Managed?
Generally speaking, CVE is a central repository of known cybersecurity vulnerabilities in the wild. These CVEs are usually relevant to specific pieces of software or software infrastructure, including items like the log4shell vulnerability, Adobe ColdFusion exploits and issues with Apache server services. Every time a vulnerability is discovered and reported, it is given a number and description by the CVE governing program to help organizations with a shared reference under which to collect knowledge.
If you know anything about security or technology, you can probably guess that CVEs aren’t rare–there are easily thousands of CVEs that emerge each year. These numbers are assigned by CVE Numbering Authorities (CNAs) representing significant players in the industry, with hierarchies of CNAs making decisions about number assignment.
In September of 2020, the CVE program granted top-root CNA status for CISA over several specific sub-CNA organizations, including CERT@VFE, Siemens and Robert Bosch GmbH. This was seen as an overall benefit for the program, involving a government agency for ground-level responses to critical vulnerabilities that can affect the entire nation.
What is Binding Operational Directive 22-01?
Binding Operational Directives, or BODs, are compulsory directions released by CISA that affect relevant government agencies and contractors, including managed service providers (MSPs) or CSPs. Typically, these directives are expansions or adjustments to existing laws to help these organizations better respond to emerging, modern security threats.
On November 3, 2021, CISA released BOD 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities,” to address the ongoing problem of existing exploits. According to the BOD, its mission is to mobilize endless knowledge of security vulnerabilities as part of government cybersecurity efforts to “aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”
The BDO provides many required actions for software and hardware in federal information systems on agency premises or housed by third-party contractors. These include:
- Remediation of Known Vulnerabilities: Organizations must establish and implement a process for ongoing remediation of the known vulnerabilities in this database. As these vulnerabilities are considered those that may cause significant risk, governed organizations must demonstrate their compliance.
- Remediation Timelines: Organizations must remediate vulnerabilities based on a CISA-defined timeline. For exposures with significant risk assigned a CVE prior to 2021, the timeline for remediation is six months. For other vulnerabilities, the timeline is two weeks.
- Reporting Remediation Status: Organizations must migrate to the Continuous Diagnostic and Mitigation (CDM) dashboard for remediation reporting, providing quarterly updates for their migration process until completion.
- Establish BOD Infrastructure: These organizations must:
- Define and implement actions necessary to implement the directives in the BOD
- Assign roles and responsibilities for any position necessary to execute these directives
- Establish validation and enforcement procedures to ensure adherence to these directives.
- Track and report adherence to these directives with clearly defined policies
Additionally, CISA itself will take specific actions:
- CVE Database: CISA is directed to develop a CISA-managed catalog of known vulnerabilities. This database, called the Known Exploited Vulnerabilities (KEV) catalog, differs from CVE and related databases but does not include CVS Scoring (CVSS) rankings.
- Thresholds: CISA will publish conditions and thresholds for including and number vulnerabilities.
- Supplemental Updates: CISA will provide supplementary direction for changes to this BOD based on changes in the types and severity of known vulnerabilities.
- Annual Reports: CISA will provide an annual status report to the Secretary of the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB) and the National Cyber Director.
The KEV catalog doesn’t include CVSS scoring because, according to CISA documentation, these rankings don’t accurately reflect the frequency with which “lower” vulnerabilities (theoretically, those with less risk) are actually more dangerous due to lack of diligence or exploit chaining.
How Does this BOD Affect FedRAMP?
The FedRAMP program, consulting with the Joint Authorization Board (JAB) and CISA, has moved to implement CSP requirements governed by the framework. In a publication released March 8, 2022, the program announced that CSPs would be expected to meet the BOD requirements.
FedRAMP has released an updated Plan of Action and Milestones (POA&M) template. A POA&M report is a formal document where a CSP outlines the changes necessary to meet any compliance requirements, the plan they intend to implement and the timeline for that implementation.
This new template includes fields for your organization to identify and log any relevant and known vulnerabilities from the KEV affecting your systems and the remediation plan. Moving forward, Authorized CSPs will be expected to monitor changes to the KEV for future compliance.
Manage Evolving FedRAMP Reporting with Continuum GRC
New requirements and expectations call for new processes and new documentation. If your business manages FedRAMP authorization, you already know the name of the game–showing the government and your 3PAO documented proof of compliance. This new push for managing ongoing threats is just another step in this process.
If you’re a CSP under FedRAMP jurisdiction or seeking authorization, then it’s time to streamline your compliance processes with Continuum GRC. We are the only FedRAMP authorized solution in the world, and we can take your regulatory processes and automate, streamline and simplify them year after year.
Connect with Continuum GRC to Learn About FedRAMP Authorization
Call Continuum GRC at 1-888-896-6207 or complete the form below.