Onapsis CEO Mariano Nunez on CISA Binding Operational Directive 22-01

Earlier this year, the Biden Administration issued an Executive Order on Improving the Nation’s Cybersecurity. President Biden recognized the ongoing threat to the American people’s (and, by extension, the world’s) security and privacy from increasingly sophisticated malicious cyber campaigns. At the time, I commented that this was a bold and much needed step forward to protect business-critical applications upon which we all rely. I also noted that this was just the beginning…and there was a lot more work to be done. 

Fast forward to November 3rd…the work continues.

On that date, the Biden Administration issued Binding Operational Directive 22-01. Entitled “Reducing the Significant Risk of Known Exploited Vulnerabilities”, it establishes both the formal, CISA-managed catalog of known exploited vulnerabilities that present critical risk and the requirements for agencies to remediate. 

This is big. And not just from a newsworthy perspective, which it is! 

Through its formal catalog and compulsory requirements to get clean, the Biden Administration has officially recognized that software and application vulnerabilities present a huge risk to the integrity of their information systems and the security of the United States. With this directive, the Biden Administration mandates an aggressive approach and schedule to remediate known exploited vulnerabilities and, ultimately, protect federal systems.

Considering our current threat landscape, an aggressive approach is more than welcome. 

I could point to a myriad of surveys and reports from the private sector discussing the immense backlogs of unpatched vulnerabilities in enterprise organizations. For example, a February 2021 Ponemon Institute report noted that two-thirds of surveyed organizations have a backlog of application vulnerabilities and 58% of respondents also note that it takes days, weeks, and months to shore up an application in production after detecting a vulnerability. The combination of these two things – i.e., a backlog and delays in patching – means that organizations are faced with a Sisyphean challenge when it comes to protecting their business-critical applications from potential open attack vectors and malicious threat actors.

Here, at Onapsis, we’ve been leading the charge to protect business-critical applications, such as SAP and Oracle, since our founding in 2009. Why the hyperfocus? Because these systems are widely deployed for mission-critical operations worldwide – including organizations in essential industries and government and defense agencies. According to SAP, more than 1000 government and government-owned organizations around the world and 170 defense and security organizations in the US alone rely on SAP software. Furthermore, 64% of SAP’s large enterprise sector customers are considered part of “critical infrastructure”, as defined by the US Department of Homeland Security. 

The Onapsis Research Labs go deeper into analyzing vulnerabilities in these critical applications where others cannot. Their threat research has led to over 800 zero-day vulnerability discoveries which accounted for, in 2020 alone, 40% of all critical SAP notes.  

In April of this year, Onapsis and SAP (in close partnership with the US Department of Homeland Security CISA) jointly issued a threat intelligence report detailing observed threat actor activity and techniques that could lead to full control of unsecured, unpatched SAP applications. What was particularly alarming was that many of these software exploits are well-known and have mitigations and/or patches widely available to mitigate the risk. They simply weren’t implemented.

In July, SAP and Onapsis followed up on our threat alert with a call for a renewed commitment to key security fundamentals – this time in the context of the ongoing threat of ransomware. Almost all of our recommendations focused on mitigating risk through continuous assessment of vulnerabilities across your SAP landscape. Why was that? Because ransomware continues to prey on software vulnerabilities as a primary attack vector. 

The status quo, as it is now, is a proverbial recipe for disaster. Strong, urgent action is required, which is why this BOD is another bold step forward.

To help SAP security administrators directly affected by this BOD, the Onapsis Research Labs have compiled a list of SAP vulnerabilities from CISA’s catalog along with guidance on remediation. You can find that list here.

For our friends and clients in the US Federal government, we’ll be reaching out with our “Find and Fix” program to see how Onapsis can help you and your teams meet the requirements of this mandatory directive and mitigate risk in your SAP systems.  For our friends and clients at the state and local government level or those who do business (e.g., provide information systems) with government entities, let’s have that conversation as well to see how the Onapsis “Find and Fix” program can help you too. While this directive is considered compulsory for all federal and executive branch departments, it’s key to remember that what starts at the federal level traditionally cascades down to state and local governments as well as the private sector, especially those who are providing systems and support to federal agencies. 

In this new era of interconnected risk, I believe it’s imperative that we all come together to face these challenges together. This BOD mandates bold action. Let’s rise up and tackle this together and do what we can to secure our most critical systems from malicious cyber campaigns.