1. Home
  2. |Insights
  3. |CISA Releases Catalog of Cybersecurity Vulnerabilities Along With a Plan for Remediation

CISA Releases Catalog of Cybersecurity Vulnerabilities Along With a Plan for Remediation

Client Alert | 1 min read | 11.04.21

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) released a catalog of almost 300 vulnerabilities in commonly used software known to be exploited by threat actors, along with a Binding Operational Directive (Directive or BOD) requiring Federal civilian agencies to remediate such vulnerabilities within prescribed deadlines. BOD 22-01, Reducing the Significant Risks of Known Exploited Vulnerabilities, applies to information systems operated by or for a Federal civilian agency and mandates that:

  1. Agencies review and update their internal vulnerability management procedures in accordance with the Directive by January 3, 2022;
  2. Remediate each vulnerability by the deadline set forth in the vulnerability catalog; and
  3. Report their vulnerability remediation status through CISA’s Continuous Diagnostics and Mitigation Federal Dashboard.

CISA intends to update the catalog with additional vulnerabilities once there is reliable evidence that the vulnerability has been actively exploited and there is a clear remediation action for the vulnerability, such as a vendor-provided update. Companies interested in receiving automatic updates when new vulnerabilities are added to the catalog can subscribe to the catalog update bulletin on CISA’s website.

For now, the Directive applies only to civilian agencies and contractors operating an information system on behalf of a civilian agency. It’s too soon to tell, however, whether the Department of Defense and/or the Intelligence Community will follow with similar actions. Regardless, CISA “strongly recommends” that private businesses voluntarily review the catalog, sign up to receive updates, and remediate the listed vulnerabilities in order to strengthen their cybersecurity defenses.

Contacts

Insights

Client Alert | 1 min read | 07.08.26

CAS Board Publishes Final Rule Rescinding CAS 404, 408, 409, and 4117

As part of its ongoing effort to conform the Cost Accounting Standards (“CAS”) to generally accepted accounting principles (“GAAP”), the CAS Board published a final rule rescinding CAS 408 (Accounting for costs of compensated personal absence) and CAS 411 (Accounting for acquisition costs of material).  The CAS Board also rescinded CAS 404 (Capitalization of tangible assets) and CAS 409 (Depreciation of tangible capital assets) but retained certain requirements of CAS 404 and 409, which will be located in new paragraphs of CAS 405 (Accounting for unallowable costs).  Specifically, the CAS Board retained the requirements currently located at CAS 404-50(d)(1), CAS 409-50(e)(5), CAS 409-50(j)(1), and CAS 409-50(j)(4), which the CAS Board explained are necessary to protect the Government’s interests.  Otherwise, the CAS Board determined that the requirements of CAS 404, 408, 409, and 411 overlapped with GAAP such that GAAP “may be applied reasonably as a substitute for CAS to support contract cost and pricing.”...