On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities. As a result of ongoing cyber threats against Department of Defense (DoD) agencies, this directive is compulsory, meaning federal departments and agencies must comply. This includes the executive branch, due to the going concern of more frequent and sophisticated DoD hacks.
Whether you work for a government agency or not, it’s good for you to know about this directive as a result of the most recent DoD hack this fall. While the government jargon in these requirements can sometimes be confusing, this overview will provide some guidance for you to better understand what such a directive entails — and ultimately, put you in a better position with your overall awareness of cybersecurity issues and threats and how they may or may not impact your own business.
In the case of this recent directive issued in early November, it states that all software and hardware found on federal information systems fall under it’s requirements. Any federal information system, including those used or operated by a third party on behalf of an agency, must conform to the directive if it collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. BOD 22-01 requires:
- Agencies must review and update internal vulnerability management procedures within 60 days.
- They must remediate each vulnerability by the dates listed in the Vulnerability Catalog.
- Agencies must report the status of vulnerabilities.
The vulnerability catalog is designed to help organizations identify and remediate critical vulnerabilities as quickly as possible.
In September 2021, National Security Agency Director Gen. Paul Nakasone indicated a change in the government’s approach to cybersecurity. He indicated cybersecurity threats are becoming more frequent, in that even six months ago, we probably would have said, ‘Ransomware, that’s criminal activity. But if it has an impact on a nation, like we’ve seen, then it becomes a national security issue.’
This change in perspective coupled with President Biden’s Executive Order of May 2021 places a high priority on establishing policies and procedures to help public and private institutions defend against cyberattacks. As Nakasone pointed out, cybercriminals are finding new ways to penetrate defenses faster than agencies can block them.
Until recently, the only cyberattacks to hit the news were related to the theft of consumer data. That changed when SolarWinds became the victim of a cyberattack. By compromising SolarWinds’ Orion update server, cybercriminals were able to infect at least 100 companies and several government agencies such as the US Departments of Justice, Energy, and State.
For many organizations, the impact of the SolarWinds compromise has faded, but not for government agencies such as the US Department of Homeland Security (DHS) and cybersecurity specialists. The sophistication level of the attack was well beyond what anyone had seen, and its ability to remove all identifying code was unparalleled. According to Alex Stamos of Stanford’s Internet Observatory, the SolarWinds’ attack was one of the most effective cyber-espionage campaigns of all time. It demonstrated the hackers’ technical skill and their clear understanding of how companies deploy software.
A state-sponsored attack on Microsoft’s Exchange Server occurred in January 2021. It marked the first time the US attributed a cyberattack to the People’s Republic of China (PRC). The hackers exploited a known vulnerability in on-premise Exchange Servers that allowed them to imitate a trusted data request. Whether it was a government contractor or a government agency, the hackers were able to collect vast amounts of data that could have national security implications when combined with other data.
For cybersecurity specialists, the scope of the compromise increased awareness of the sophistication of state-sponsored espionage. Given the magnitude of the threats, the US DHS, along with the DoD, began a campaign to strengthen US cyber defenses against government hacking attempts.
Palo Alto’s Unit 42 identified at least nine organizations that have been the target of unknown hackers beginning in September 2021. Among those victims were defense, energy, health care, technology, and education agencies. The National Security Agency and cybersecurity researchers are trying to expose this ongoing effort to steal critical data from US defense contractors.
In this government hack, bad actors attempted to steal passwords that gave them long-term access to networks. They intended to intercept data sent via email or stored on servers until they were detected and removed from the network. Although it is still unclear who is behind the attacks, most cybersecurity experts believe it is just the tip of the iceberg, with more compromised organizations to come.
Cybercrime — if it were a country — would have the third-largest GDP in the world. Only the US and China have higher GDPs. Given the profitability of the industry, its growth will continue to increase. According to its 2020 annual report, the FBI saw an increase of 300,000 complaints in 2020. The following cybercrime statistics illustrate its growing threat:
- The average ransomware payment grew 33% in 2020.
- The average ransom payment was $133,000 in 2020.
- 65% of hacking groups used spear-phishing as their initial attack vector.
What is BOD 22-01?
In 2015, the CISA reported that it took federal agencies too long to remediate vulnerabilities, sometimes as many as 300 days. As a result, the agency issued BOD 15-01 that required agencies to remediate critical risk vulnerabilities within 30 days of detection. In 2019, the CISA issued BOD 19-02 that shortened the remediation period to 15 days. Cybercriminals were developing tools that enabled faster and more sophisticated attacks that were difficult for federal agencies to mitigate. The US needed a better way to address cyberthreats. Before BOD 22-01, the identification and remediation of vulnerabilities required three systems.
Common Vulnerability Scoring System (CVSS)
The US National Infrastructure Assurance Council (NIAC) developed an open framework for assessing the risk of a known vulnerability in publicly available software in 2005. Before 2005, some vendors indicated the level of risk associated with vulnerabilities in their software. However, IT departments had no way of knowing which vulnerabilities posed the highest risk without a standard scoring system.
CVSS simplifies the process of generating vulnerability scores by applying a consistent framework to identify weaknesses. With full access to the framework’s parameters, anyone can view the rationale behind a CVSS score. Since 2005, the CVSS has gone through multiple versions, with the most current release (3.1) in 2019. Organizations such as Cisco, HP, IBM, and Oracle use CVSS values when evaluating vulnerabilities. Government agencies, including the US Department of Homeland Security, also use the system.
Common Vulnerabilities and Exposures
Every reported vulnerability receives a unique identifier which is created using the following:
- Four-digit year
- Sequence Number
For example, CVE-2020-0078 is the 78th vulnerability in 2020. So far this year, there are over 17,500 reported vulnerabilities.
National Vulnerability Database (NVD)
The National Institute of Standards and Technology (NIST) maintains a database that uses the CVE to identify a vulnerability and provides a CVSS value, along with an explanation of the reported weakness. The NVD does not determine the level of risk associated with a CVE. Rather, it reports a CVSS security score and associated fixes if available.
Catalog of Known Exploited Vulnerabilities (KEV)
BOD 22-01 creates the KEV and tasks the CISA with overseeing its publication and compliance because trying to determine which vulnerabilities to address is a formidable task for any organization. There are close to 18,000 vulnerabilities, not all of which have a fix.
Those vulnerabilities are identified not by the software or the company but by a number, making it difficult for IT personnel to locate entries for a specific product. The CVSS is a severity score based on a set of theoretical parameters. The score does not take into account whether the vulnerability has been exploited in the wild (real world).
Cybercriminals do not attack vulnerabilities based on their CVSS score. They may use multiple weaknesses to infiltrate a system. When hackers compromised Microsoft Exchange servers, they used low-scoring CVSS weaknesses to gain access before they deployed additional code that gave them administrative privileges. This example illustrates the need for real-world assessments of vulnerability risks.
The CISA-managed catalog is designed to help organizations identify which vulnerabilities carry significant risk to federal agencies and those companies that do business with them. Vulnerabilities will appear in the catalog if:
- They have a CVE ID.
- They have been actively exploited in the wild.
- They have a documented remediation method.
How to Comply with BOD 22-01
The directive focuses on the identification, remediation, and reporting of known vulnerabilities that have been deployed in the wild. It is a system that helps organizations focus on the high-risk weaknesses that are being exploited and provides recommendations on how to mitigate the vulnerability by a given deadline.
The directive requires government contractors and agencies to complete the following:
- Develop a process for remediating vulnerabilities listed in the KEV.
- Designate individuals responsible for executing BOD 22-01.
- Define a playbook for responding to cyber incidents.
- Establish an internal compliance and enforcement procedure.
- Report adherence to the directive through tracking and auditing tools.
Similar requirements can be found in the 43 capabilities and 17 cybersecurity domains of DoD’s CMMC framework for DoD government contractors.
The CISA-managed catalog lists the CEV identifier for each vulnerability with a timeline for remediation. The catalog is a subset of the NVD and focuses on weaknesses that have a significant risk to the federal government and its contracting ecosystem. A typical entry has the following information:
- CVE: This identifier corresponds to the entry in the NVD. Clicking on the ID transfers the user to the full entry in the NVD.
- Vendor: The name of the entity that created the software.
- Product: The name of the product having the vulnerability
- Name: Textual name of the vulnerability
- Date Added: The data the weakness was reported to NVD
- Description: Brief description of the vulnerability. Complete information is available through the NVD link.
- Action: List what action to take to remove the vulnerability
- Due Date: Date that the remediation must be complete.
The CISA recommends signing up for email alerts. These emails will notify anyone on the list when a new CVE is added to the catalog. These alerts minimize the need for constantly checking the catalog.
The directive identifies the reporting system to be used when complying with BOD 22-01. Many of the reporting requirements align with CMMC certification requirements. Making the BOD 22-01 requirements part of a CMMC certification can ease the burden of multiple certifications of the same requirements.
For DoD government contractors, companies should have a plan in place for achieving CMMC certification. Since the CMMC framework is ongoing, government contractors should consider incorporating BOD 22-01 requirements into their CMMC framework. For example, CMMC requires organizations to ensure all patches and fixes are applied, and logging is implemented for auditing and reporting. These capabilities are very similar to BOD 22-01 requirements.
As cyberthreats become more sophisticated and supply chain attacks multiply, organizations need to ensure a strong security posture. CMMC consultants, like Machado Consulting, are versed in the CMMC framework and can guide you through the process of incorporating BOD 22-01 without significant impact on your daily operations. While the barrage of directives being communicated may sometimes seem overwhelming, this is also where a trusted advisor who is well versed in cybersecurity requirements – for government and private business – can be a resource for you.