Runecast Solutions Ltd., a leading provider of a cloud-native application protection platform (CNAPP) for AI-powered automated vulnerability management, security compliance, container security and more efficient ITOM, announces that the U.S. Cybersecurity & Infrastructure Security Agency, or CISA, recommendations for leveraging a third-party service like Runecast for automatically identifying vulnerabilities goes beyond the Education sector to apply to all Federal agencies.

Last month, Runecast announced its inclusion in CISA recommendations for Educational institutions within the CISA K-12 Toolkit, which provides guidance and resources to help IT professionals “build, operate, and maintain resilient cybersecurity programs” for their school district IT environments. However, those recommendations go beyond the Education sector alone and apply to Federal agencies as part of Binding Operational Directive 22-01.

CISA Recommendation Applies to Federal Agencies

In the CISA report Reducing the Significant Risk of Known Exploited Vulnerabilities, CISA states the reasons that various organizations should follow their cybersecurity recommendations:

“CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.

All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.  Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan. Doing so will build collective resilience across the cybersecurity community.

Organizations should also consider using automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities. Examples of such tools include CISA's cyber hygiene services, Palo Alto Networks Cortex, Tenable Nessus, Runecast, Qualys VMDR, Wiz, Rapid7 InsightVM, and Rapid7 Nexpose.”

Notably, Binding Operational Directive 22-01 states that it is a "compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems." CISA further states that state, local, tribal, and territorial (SLTT) governments, as well as the private sector, can also strengthen their security posture by following the CISA recommendations.

According to Stanimir Markov, CEO and Co-Founder at Runecast, “CISA is an excellent knowledge source for securing mission-critical IT environments against vulnerabilities that pose the highest risks to organizations. We are honored to partner with them in bringing awareness to the importance of proactive discovery, risk-based prioritization and remediation of vulnerabilities. The inclusion of Runecast in CISA guidance is a testament to the effectiveness of our approach.”

Risk-Based Vulnerability Management with Runecast

Runecast was one of the first security platforms to integrate with the CISA Known Exploited Vulnerabilities (KEVs) catalog. Using Runecast AI Knowledge Automation (RAIKA), Natural Language Processing (NLP), OpenAI integration and a patented rules engine (US Patent No. US-10621234-B2), Runecast provides proactive discovery of vulnerabilities, misconfigurations, and any non-compliance with common security standards and vendor best practices. Built-in audits against the CISA KEV catalog are a key ingredient in prioritizing remediation efforts based on risk.

“By automating the discovery and prioritizing the remediation of vulnerabilities with known exploits, organizations can effectively reduce the risk of a security breach,” said Mr. Markov. “It is imperative for CISOs and IT teams to prioritize high-risk vulnerabilities using automation that is readily available.”

Runecast is used by Fortune 500 customers, which typically report between 75-90% time savings in the areas of troubleshooting, upgrade planning and the ability to achieve, maintain and verify security compliance. It enables IT teams to do far more with less, resulting in operational transparency, cost savings, and continuous compliance. With its real-time analysis and remediation priority recommendations, the platform helps organizations stay ahead of potential security threats and maintain compliance with industry standards.

For more information about Runecast Solutions Ltd. and its Runecast platform, please visit www.runecast.com.