All systems, including federal systems, are full of vulnerabilities. The question is, given a limited number of hours in the day and a limited staff, how can you optimize your resources to remedy this issue?

Well, the Cybersecurity & Cyberinfrastructure Security Agency has released a Binding Operative Directive that targets that concern. It was released on November 10, 2023, and is titled, "Transforming the Vulnerability Landscape."

During today's interview, Willie Hicks from Dynatrace will look at the whole issue of discoverability and what impact this new BOD will have on the federal community.

If you examine the BOD from 40,000 feet, it transfers the focus from the federal technology leaders to the vendors. Instead of having a security announcement buried on a vendor's website, CISA suggests it be posted in a machine-readable format. This way, updates can be automatically sent out so they can be ingested.

The Vulnerability Exploitability eXchange helps users know if a given product is impacted. The military knows that if you defend everything you defend nothing. It allows links to the Software Bill of Materials so users can know about which vulnerabilities they should worry.

Finally, they look at something called the Stakeholder Specific Vulnerability Exchange. This reinforces the fact that not all vulnerabilities impact all federal agencies. CISA suggests that agencies consider vulnerability frameworks that can assist in reducing risk.

Will Hicks applies his years of experience in federal technology to unpack many of these concepts during the interview. He reinforces the concept of visibility. One cannont set appropriate priorities if one doesn't know what is on the network. Once that essential step is accomplished, then an administrator can use guidelines to set priorities.