CISA Releases Catalog of Cybersecurity Vulnerabilities Along With a Plan for Remediation
Client Alert | 1 min read | 11.04.21
Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) released a catalog of almost 300 vulnerabilities in commonly used software known to be exploited by threat actors, along with a Binding Operational Directive (Directive or BOD) requiring Federal civilian agencies to remediate such vulnerabilities within prescribed deadlines. BOD 22-01, Reducing the Significant Risks of Known Exploited Vulnerabilities, applies to information systems operated by or for a Federal civilian agency and mandates that:
- Agencies review and update their internal vulnerability management procedures in accordance with the Directive by January 3, 2022;
- Remediate each vulnerability by the deadline set forth in the vulnerability catalog; and
- Report their vulnerability remediation status through CISA’s Continuous Diagnostics and Mitigation Federal Dashboard.
CISA intends to update the catalog with additional vulnerabilities once there is reliable evidence that the vulnerability has been actively exploited and there is a clear remediation action for the vulnerability, such as a vendor-provided update. Companies interested in receiving automatic updates when new vulnerabilities are added to the catalog can subscribe to the catalog update bulletin on CISA’s website.
For now, the Directive applies only to civilian agencies and contractors operating an information system on behalf of a civilian agency. It’s too soon to tell, however, whether the Department of Defense and/or the Intelligence Community will follow with similar actions. Regardless, CISA “strongly recommends” that private businesses voluntarily review the catalog, sign up to receive updates, and remediate the listed vulnerabilities in order to strengthen their cybersecurity defenses.
Contacts
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 3 min read | 11.21.25
On November 7, 2025, in Thornton v. National Academy of Sciences, No. 25-cv-2155, 2025 WL 3123732 (D.D.C. Nov. 7, 2025), the District Court for the District of Columbia dismissed a False Claims Act (FCA) retaliation complaint on the basis that the plaintiff’s allegations that he was fired after blowing the whistle on purported illegally discriminatory use of federal funding was not sufficient to support his FCA claim. This case appears to be one of the first filed, and subsequently dismissed, following Deputy Attorney General Todd Blanche’s announcement of the creation of the Civil Rights Fraud Initiative on May 19, 2025, which “strongly encourages” private individuals to file lawsuits under the FCA relating to purportedly discriminatory and illegal use of federal funding for diversity, equity, and inclusion (DEI) initiatives in violation of Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity (Jan. 21, 2025). In this case, the court dismissed the FCA retaliation claim and rejected the argument that an organization could violate the FCA merely by “engaging in discriminatory conduct while conducting a federally funded study.” The analysis in Thornton could be a sign of how forthcoming arguments of retaliation based on reporting allegedly fraudulent DEI activity will be analyzed in the future.
Client Alert | 3 min read | 11.20.25
Client Alert | 3 min read | 11.20.25
Client Alert | 6 min read | 11.19.25
