The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Binding Operational Directive requiring all federal agencies to apply patches to new and old vulnerabilities that are being exploited in the wild.

The Directive, entitled Reducing the Significant Risk of Known Exploited Vulnerabilities, “establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise…and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.”

The Directive applies “to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

The listed required actions include some that must be implemented no later than November 17, 2021, and others before May of 2022. A summary of the Directive can be accessed here.