Cybersecurity pillar

Exposure management playbook

Run continuous discovery, prioritization, remediation, and validation loops mapped to CISA KEV due dates, BOD 22-01, NIST CSF 2.0 outcomes, and CVSS v4.0 scoring.CISA KEVCISA BOD 22-01NIST Cybersecurity Framework 2.0CVSS v4.0

Discovery and asset fidelity

Expose the full attack surface across IT, OT, and cloud so prioritization reflects real risk.

  • Unify inventories. Merge CMDB data, cloud resource graphs, device management telemetry, and OT asset maps into a single catalog that updates daily and aligns with NIST CSF 2.0 asset management outcomes.NIST Cybersecurity Framework 2.0
  • Identify exposure classes. Tag internet-facing services, identity providers, privileged endpoints, and OT gateways so scanning scope and remediation SLAs reflect exploitability.
  • Track end-of-life platforms. Include lifecycle risks such as unsupported operating systems noted in KEV advisories and vendor bulletins so compensating controls are documented alongside patch plans.CISA KEV
Attack surface reduction loop linking asset census, exposure intake, exploit-aware prioritization, remediation windows, validation, and reporting.
Run a closed-loop program that joins KEV-driven intake, CVSS v4.0 and EPSS prioritization, BOD 22-01 remediation timers, validation through BAS and pentests, and reporting against NIST CSF outcomes to prove risk is shrinking.

Prioritize by exploitability

Use authoritative signals and contextual scoring to direct engineering effort to the right issues.

  • Enforce KEV deadlines. Treat CISA KEV entries as non-negotiable remediation tasks with due dates that mirror federal agency expectations under BOD 22-01, even for private-sector teams.CISA KEVCISA BOD 22-01
  • Apply CVSS v4.0 judiciously. Use CVSS v4.0 base scores plus threat and environmental metrics to highlight issues with active exploitation, sensitive data exposure, or operational impact.CVSS v4.0
  • Weight identity and external surfaces. Elevate misconfigurations affecting MFA, SSO, and API gateways because ATT&CK shows these are common initial access vectors for ransomware crews.MITRE ATT&CK

Remediate with measurable SLAs

Turn prioritization into predictable delivery by aligning owners, timelines, and compensating controls.

  • Standardize patch cadences. Set 15-day SLAs for KEV-listed bugs, 30-day for remote code execution exposures with available fixes, and 45-day for privilege escalation issues with compensating controls documented.CISA BOD 22-01
  • Include configuration and identity fixes. Track misconfigurations (e.g., public S3 buckets, overly permissive IAM roles) alongside patches so exposure counts decline even when no CVE exists.
  • Instrument rollback plans. Require change tickets to document rollback paths and business-owner approvals when patches affect availability, referencing vendor guidance and tested recovery steps.

Validate continuously

Prove that remediation efforts closed real attack paths and detect regressions early.

  • Attack-path testing. Run breach-and-attack simulations or red team scenarios mapped to ATT&CK techniques exploiting the remediated weakness to prove the path is closed.MITRE ATT&CK
  • Telemetry verification. Confirm that logging, detection rules, and alert routing exist for residual risk areas (e.g., downgraded to compensating controls) so monitoring aligns with NIST CSF 2.0 detection outcomes.NIST Cybersecurity Framework 2.0
  • Executive reporting. Publish monthly burn-down charts showing open KEV items, median time-to-remediate, and validation pass rates so leadership sees quantifiable risk reduction.