The Federal Risk and Authorization Management Program has announced that cloud service providers that maintain federal information are covered by a binding operational directive issued by the Cybersecurity and Infrastructure Security Agency.
BOD 22-01 seeks to reduce the risk of known exploited vulnerabilities and sets requirements for agencies to address such vulnerabilities included in a CISA-managed catalog, FedRAMP said Tuesday.
FedRAMP said it has updated the template for plan of action and milestones to facilitate tracking of cyber vulnerabilities against the catalog.
Cloud providers can track those vulnerabilities in the new template or add a new column to their POA&M. They should also register for automatic alerts to stay informed of recently added vulnerabilities.
“CSPs should only include applicable vulnerabilities in their POA&M. They do not have to include a status for every known vulnerability on the CISA-managed catalog,” the notice reads.