Site icon

FedRAMP and CISA: What Is Binding Operational Directive 22-01

fedramp featured

Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild. 

The CVE program recently joined with the Cybersecurity and Infrastructure Security Agency (CISA), which then feeds into new directives for federal agencies and cloud service providers (CSPs). One of these directives, Binding Operational Directive 22-01, establishes this new list and several other requirements for regulated organizations and is trickling down into other security requirements, including FedRAMP. 

 

What is CVE and How Is it Managed?

Generally speaking, CVE is a central repository of known cybersecurity vulnerabilities in the wild. These CVEs are usually relevant to specific pieces of software or software infrastructure, including items like the log4shell vulnerability, Adobe ColdFusion exploits and issues with Apache server services. Every time a vulnerability is discovered and reported, it is given a number and description by the CVE governing program to help organizations with a shared reference under which to collect knowledge. 

If you know anything about security or technology, you can probably guess that CVEs aren’t rare–there are easily thousands of CVEs that emerge each year. These numbers are assigned by CVE Numbering Authorities (CNAs) representing significant players in the industry, with hierarchies of CNAs making decisions about number assignment. 

In September of 2020, the CVE program granted top-root CNA status for CISA over several specific sub-CNA organizations, including CERT@VFE, Siemens and Robert Bosch GmbH. This was seen as an overall benefit for the program, involving a government agency for ground-level responses to critical vulnerabilities that can affect the entire nation. 

 

What is Binding Operational Directive 22-01?

Binding Operational Directives, or BODs, are compulsory directions released by CISA that affect relevant government agencies and contractors, including managed service providers (MSPs) or CSPs. Typically, these directives are expansions or adjustments to existing laws to help these organizations better respond to emerging, modern security threats. 

On November 3, 2021, CISA released BOD 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities,” to address the ongoing problem of existing exploits. According to the BOD, its mission is to mobilize endless knowledge of security vulnerabilities as part of government cybersecurity efforts to “aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”

The BDO provides many required actions for software and hardware in federal information systems on agency premises or housed by third-party contractors. These include:

Additionally, CISA itself will take specific actions:

The KEV catalog doesn’t include CVSS scoring because, according to CISA documentation, these rankings don’t accurately reflect the frequency with which “lower” vulnerabilities (theoretically, those with less risk) are actually more dangerous due to lack of diligence or exploit chaining. 

 

How Does this BOD Affect FedRAMP?

The FedRAMP program, consulting with the Joint Authorization Board (JAB) and CISA, has moved to implement CSP requirements governed by the framework. In a publication released March 8, 2022, the program announced that CSPs would be expected to meet the BOD requirements. 

FedRAMP has released an updated Plan of Action and Milestones (POA&M) template. A POA&M report is a formal document where a CSP outlines the changes necessary to meet any compliance requirements, the plan they intend to implement and the timeline for that implementation. 

This new template includes fields for your organization to identify and log any relevant and known vulnerabilities from the KEV affecting your systems and the remediation plan. Moving forward, Authorized CSPs will be expected to monitor changes to the KEV for future compliance. 

 

Manage Evolving FedRAMP Reporting with Continuum GRC

New requirements and expectations call for new processes and new documentation. If your business manages FedRAMP authorization, you already know the name of the game–showing the government and your 3PAO documented proof of compliance. This new push for managing ongoing threats is just another step in this process. 

If you’re a CSP under FedRAMP jurisdiction or seeking authorization, then it’s time to streamline your compliance processes with Continuum GRC. We are the only FedRAMP authorized solution in the world, and we can take your regulatory processes and automate, streamline and simplify them year after year. 

 

Connect with Continuum GRC to Learn About FedRAMP Authorization

Call Continuum GRC at 1-888-896-6207 or complete the form below.

[wpforms id=”43885″]

Exit mobile version