Try For Free


Reducing cyber risk with CISA directive 22-01

Compliance and Regulation

Since early 2021, with the appointment of a new director, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has been making a name for itself with big moves like its new “Hack DHS” bug bounty program and creation of a cybersecurity advisory committee made up of industry representatives.

Essentially, through CISA, the Department of Homeland Security (DHS) is waking up to what IT and security professionals have known for a while: Organizations are at risk, and the level of risk is growing.

Given that, according to a July 2021 CISA report, “Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities,” CISA decided to crank up accountability for any organization working with the U.S. government. And they’ve done it by introducing CISA directive 22-01

This binding operational directive (BOD) is mandatory for all U.S. “federal civilian agencies” in an attempt to solve the problem and reduce U.S. government exposure to today’s swarm of vulnerabilities.

But the announcement of CISA BOD 22-01 has sent a tidal wave of worry through already over-taxed IT departments. Does it apply to your organization? What exactly does it involve? And how can you become compliant with the least possible effort?

Relax. In this post, we’ll cover everything you need to know about CISA directive 22-01, along with some of the best ways to keep your organization safe against the kinds of global threats that are most concerning to DHS lawmakers.

What Does CISA Directive 22-01 Actually Say?

Operating under the DHS, CISA was formed in 2018 to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” They’re particularly working to foster public-private collaborations around cyber security issues to confront top and evolving threats. And that’s where BOD 22-01 comes in.

This latest BOD is an add-on to the earlier BOD 19-02, which called for an increased effort toward vulnerability remediation: “[I]t is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems.”

The full, formal title of BOD 22-01 is “Reducing the Significant Risk of Known Exploited Vulnerabilities,” and this is exactly its goal: remediating or mitigating what CISA refers to as vulnerabilities that are “causing harm now.” 

It goes one step beyond BOD 19-02 by including a catalog of about 300 “known vulnerabilities,” with due dates for compliance. Companies that do business with the U.S. government will need to remediate any listed vulnerabilities by the corresponding due dates (which are set according to the date the vulnerability was discovered along with its severity). CISA plans to update this list from time to time as due dates pass and new vulnerabilities emerge. Additionally, all compliant organizations must report their progress to CISA as they work toward these deadlines.

Organizations failing to comply by the due dates listed will presumably face administrative penalties and potentially lose important U.S. government contracts. But the repercussions go much, much further—and could affect you no matter what industry you’re in.

Do You Need to Comply with CISA Directive 22-01?

The short answer to this question is you probably don’t, unless you’re working for the U.S. government. But in reality, you probably shouldn’t ignore it, either.

According to CISA, this BOD 22-01 “applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf.” This includes primarily the federal and executive branch departments and agencies of the United States.

But the U.S. government is also strongly recommending this standard even for private businesses, as is clear from CISA director Jen Easterly’s tweet: “The BOD applies to federal civilian agencies; however, ALL organizations should adopt this Directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations.”

She’s right. Here are two major reasons you shouldn’t just ignore CISA directive 22-01:

  • These threats are real. Even if you don’t stand to lose valuable U.S. government contracts, CISA has identified them as top priorities for good reason. These are “low-hanging fruit” for attackers, and it’s simply irresponsible to leave your organization vulnerable.
  • You may need to comply soon. Other governments and large enterprises will likely follow CISA’s lead and make complying with BOD 22-01 or similar standards a mandatory requirement for doing business with them.

Even if you don’t absolutely have to comply, you definitely should. And it may be simpler than you think.

How Can You Combat the Threats Targeted by CISA Directive 22-01?

The U.S. government has put BOD 22-01 in place because today’s businesses—even at very high levels, and even those dealing with security on a daily basis—are not keeping up. And that’s putting everybody at risk.

According to a CISA report, “Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations.” In plain English, this means that patching is still your first and best line of defense.

That’s easier said than done. Patching can be a difficult, complicated task unless you have the right tools in place. 

And even if your patching is under control, documenting your patch responsibilities and progress (as BOD 22-01 requires) piles on admin hassles to the ever-growing list of IT responsibilities.

To help orgs comply, CISA has also released new Cybersecurity Incident and Vulnerability Response Playbooks, which explain that “Existing patch and asset management tools are critical and can be used to automate the detection process for most vulnerabilities.” In other words, automation and intelligent patching are absolutely crucial to meet evolving modern regulatory standards like CISA’s BOD 22-01.

JetPatch offers a modern patching platform that meets all the requirements of CISA directive 22-01 (along with earlier standards including directive 19-02 and other regulatory needs). Here are a few ways JetPatch makes compliance simple:

  • Single-pane visibility into all your assets and their remediation status
  • Automatic download of all relevant updates for your assets and endpoints
  • Prioritization of remediation steps to meet BOD 22-01 or any other compliance standard

With full reporting capabilities, JetPatch helps you easily meet reporting requirements, avoiding audits and fines—not just from CISA but many other regulatory standards including PCI DSS and GDPR. (Find out more about compliance here).

Not only that, but JetPatch gives you sophisticated tools to analyze your patching performance over time, building in C-suite and investor accountability and generating ROI for your cyber security program as a whole.

Discover all the ways JetPatch makes compliance simple – and get started protecting your assets in seconds.

Todd Kirkland
schedule demoORlearn more
Start Patching the Right Way
Free Trial