Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

CISA BOD 22-01 (CISA KEV)

  • 1 minute(s) read
Prev Next

Overview

Note the rename

The CISA BOD 22-01 was relaunched as the CISA KEV (Known Exploited Vulnerabilities) list in 2022. You will see references to both CISA BOD & CISA KEV in Nucleus documentation and platform depending on if you are a federal customer or commercial client.

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security (DHS), released Binding Operational Directive (BOD) 22-01. Cybersecurity directives from CISA are infrequent, the last being issued on September 2, 2020, and they tend to be at a rather high level. BOD 22-01 is different, because it instructs agencies to remediate a specific list of vulnerabilities, and it attaches strict deadlines. Importantly, this directive is a requirement, and not simply guidance or a recommended best practice.

The target for this BOD is government organizations. However, it is not at all uncommon for private industry to adopt government standards once they become aware of them. Organizations with significant government contracts in their book of business would do well to comply and be able to prove compliance upon demand. Fortunately, Nucleus simplifies compliance with CISA BOD 22-01.

Where to find and how to use

CISA BOD 22-01 results can be found, associated with specific CVEs, on the Vulnerability Intelligence tab of the detail view on any vulnerability or compliance finding.

You can also filter vulnerabilities for analysis and reporting based on CISA BOD 22-01 results using the Filter button and query builder on the Vulnerabilities > Active view.

Additionally, CISA BOD 22-01 can be used as criteria for triggering automation rules that create downstream events like Finding Processing and Notifications.


NOTE: When evaluating CISA Known Exploited Vulnerabilities (KEV) status across Findings, Nucleus currently only checks the primary CVE in each finding’s vulnerability intelligence record. If a finding contains multiple CVEs, only the first (primary) CVE determines whether the finding is marked as KEV-true.