The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive requiring federal agencies to prioritize the remediation of high-risk security vulnerabilities, building on its previous Known Exploited Vulnerabilities (KEV) catalog. This directive mandates agencies to enhance their vulnerability management policies, monitor updates, and adhere to specified remediation timelines based on the risk level of the vulnerabilities.
The latest directive from CISA, BOD 26-04, necessitates that federal agencies prioritize patching high-risk vulnerabilities, emphasizing those in the Known Exploited Vulnerabilities (KEV) catalog. This approach requires a shift away from relying solely on CVSS scores, urging agencies to focus on vulnerabilities that enable downstream privilege escalation and total control over assets. For cybersecurity professionals, this underscores the importance of integrating vulnerability management with privilege access management to efficiently mitigate risks and limit potential damage.