Federal Deadlines for Updates to Known Exploited Vulnerabilities and Zero-days Patches

While these deadlines to remediate identified vulnerabilities and patch zero-days are a mandate for federal agencies based on Binding Operational Directive (BOD) 22-01, a review of these recent announcements is an excuse for private sector organizations to revisit their current compliance and risk mitigation measures, as “although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”  While only a cursory, anecdotal, informal research observation on our part, there does seem to be a general uptick so far this year in the volume of Known Exploited Vulnerabilities and Zero-days reported by CISA. MITRE, and NIST.   All the more reason for your organization to take a pause and evaluate these threat vectors. For the C-level and Boards of Directors, what follows is a sampling of the type of threats your CISO and cybersecurity team face in the current threat landscape.