OVERVIEW
The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy.
In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342—an average of 28 per day—are classified “critical” or “high severity” vulnerabilities.
Organizations across both public and private sectors struggle to find time to test and implement remediations to these vulnerabilities—such as patches and updates—across complex infrastructures.
Additionally, the effort and subject matter expertise required to research the degree of risk posed by a given vulnerability makes prioritizing CVEs a challenge.
In response to these challenges, the Cybersecurity and Infrastructure Security Agency (CISA), via Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, has created—and published on CISA.gov—a living catalog of known exploited vulnerabilities that carry significant risk; 182 vulnerabilities from 2017-2020and 108 from 2021 make up the initial publication. CISA will regularly update the catalog with new known exploited vulnerabilities that meet specified thresholds.
