To Meet CISA's New Directive on Vulnerability Management, Prioritize with Cyber Risk Quantification

November 10, 2021  Jeff B. Copeland

Flag - Federal CybersecurityThe new Cybersecurity and Infrastructure Security Agency (CISA) “Binding Operational Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities” lays down some tough requirements for federal agencies and their contractors.

Within 60 days, agencies must:

  • Update their internal vulnerability management procedures.
  • Establish an ongoing process for remediating vulnerabilities that CISA identifies through a new catalog of known exploited vulnerabilities. 

Working off that catalog, agencies have six months to remediate 200 vulnerabilities of “significant risk” based on a CVE ID assigned prior to 2021, and just two weeks to remediate 90 vulnerabilities identified in 2021. 

This new mandate follows on Binding Operational Directive 19-02 in 2019 that ordered agencies to remediate “critical” and “high” vulnerabilities within 15 or 30 days after detection on an agency’s internet-accessible systems. 

Giving some guidance on prioritizing vulnerabilities is good in principle, but CISA leaves it to the agencies to figure out how to make it work in their own environments. The challenges can be daunting: Instituting a new – and rapid – process for remediating vulnerabilities carries a cost and may require staffing and additional software at agencies already strapped for cash to fulfill their basic, non-cyber missions. Alternatively, there’s a cost in cyber loss exposure for failing to remediate.

This is where federal cybersecurity management practice falls short. Ideally, agencies could prioritize remediation investments based on their capacity to reduce their loss exposure. In fact, many federal mandates and directives (from OMB, DHS, FISMA, Executive Orders, NIST standards) have urged agencies to adapt such a quantified, risk-based investment strategy but as a GAO audit found in 2019, agencies were largely failing at systematic, cost-effective risk management.  

Some agencies, including the Energy Department and NASA, are pioneering risk management based on cyber risk quantification (CRQ) with FAIR™ (Factor Analysis of Information Risk), the international standard for CRQ.

NIST published FAIR as an Informative Reference to the Cybersecurity Framework (NIST CSF) in the sections covering risk analysis (ID.RA) and risk management (ID.RM). NISTIR 8286, the new standard for integrating cybersecurity and ERM, lists FAIR among valid risk analysis methods “to better prioritize risks or to prepare more accurate risk exposure forecasts.”

Learn more: How FAIR Can Help the Federal Government Better Prioritize and Right-Size Its Cybersecurity Investments (FAIR Institute)

As the only risk analysis and risk management platform built on FAIR, RiskLens helps federal agencies, and their contractors cost-effectively meet CISA’s Binding Operational Directives and other federal standards. With the RiskLens platform, federal cyber risk managers can quantify a baseline of current risk (loss exposure in dollars), then model the cost vs. benefit in reduced loss exposure for remediating risks and prioritize spending accordingly.

RiskLens can also show agencies a better way to prioritize vulnerability management than CVE scores alone (in effect, treating all “critical” or “high” vulnerabilities in a catalog as equal) by shifting from a vulnerability focus to an asset focus. If you can understand the economic impact at the asset level, you can prioritize vulnerabilities remediation by that measure. (Learn more: How to Turn 10,000 Vulnerabilities into a Manageable Cyber Risk Problem.)

Get a close-up look at the RiskLens CRQ platform and the advanced risk management practices our consultants can bring to federal agencies and contractors – Contact Us.