Skip to main content


FedRAMP BOD 22-01 Guidance

March 8 | 2022

FedRAMP BOD 22-01 Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) develops and oversees the implementation of “binding operational directives” (BODs) and “emergency directives” (EDs). These directives require action on the part of certain federal agencies and cloud service providers (CSPs). FedRAMP works closely with the Joint Authorization Board (JAB) and DHS CISA to issue actions required and outlined in these BODs and EDs.

Binding Operational Directive 22-01

On November 3, 2021, DHS CISA issued Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities”. This BOD “establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog. CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor.”

FedRAMP Response

FedRAMP, in accordance with Binding Operational Directive 22-01 and in consultation with the JAB and DHS CISA, emphasized that CSPs who maintain federal information fall within the scope defined by the BOD. All CSPs must review and implement the actions described within.

FedRAMP notified all Authorized CSPs that in order to address the requirement, FedRAMP has updated the POA&M template to accommodate tracking of vulnerabilities against the catalog of known exploited vulnerabilities. CSPs can track vulnerabilities in the new template or simply add a column (column AB, with the header ‘Binding Operational Directive 22-01 tracking’) in their current POA&M. This new column should be filled out with a ‘Yes’ or ‘No’ as to whether this POA&M item’s vulnerability is found in the catalog of known exploited vulnerabilities.

CSPs should only include applicable vulnerabilities in their POA&M. They do not have to include a status for every known vulnerability on the CISA-managed catalog.

We strongly suggest that CSPs sign up for automatic alerts when new vulnerabilities are added to the catalog.

Please contact the PMO at with any questions.

Back to Blogs