Americas Cybersecurity Mandates: How Basirah Maps to US, Canadian, and Brazilian Frameworks

Cybersecurity mandates across the Americas have shifted from advisory to enforcement. In the US, CISA’s Binding Operational Directives carry real deadlines with agency accountability, the SEC requires governance and disclosure controls, and FedRAMP has published draft changes tightening remediation SLAs. In Canada, OSFI Guideline B-13 establishes technology risk management requirements for federally regulated financial institutions. In Brazil, BCB Resolution 4893 mandates cybersecurity programmes for financial institutions.

Regulatory note: This is an operational summary, not legal advice. Validate scope and enforcement details with counsel and current agency guidance.

Consider a financial services group with US federal contracts, Canadian banking operations, and a Brazilian subsidiary. A single remediation queue serves multiple reporting audiences: agency security stakeholders, SEC-facing leadership, FedRAMP assessors, OSFI examiners, and BCB auditors. The control intent overlaps, but evidence formats and timelines differ. Most operational failures happen in that translation layer.

CISA BOD 22-01: Known Exploited Vulnerabilities

Binding Operational Directive 22-01 requires all Federal Civilian Executive Branch (FCEB) agencies to remediate Known Exploited Vulnerabilities (KEVs) by CISA-assigned due dates. While the directive formally applies to federal agencies, it has become the de facto standard for critical infrastructure and government contractors.

Key requirements

• Remediation by assigned due date: Default is 14 days from KEV catalog addition, though some entries carry shorter windows
• Scope: All internet-facing and internal systems, no exceptions for “legacy” or “isolated” environments
• Accountability: Agency CISOs must report compliance status; persistent non-compliance triggers DHS escalation

The operational challenge

The KEV catalog is updated frequently, with new entries arriving without warning. Organizations need automated ingestion of KEV updates, immediate identification of affected assets, and SLA tracking that starts the clock from catalog addition, not from when someone reads the CISA alert.

Platform Alignment

CISA KEV is a built-in threat intelligence source in Basirah. The platform automatically matches ingested findings against the KEV catalog alongside EPSS (Exploit Prediction Scoring System) enrichment for prioritization. When scanner findings match KEV entries, SLA clocks start automatically with the BOD-mandated deadlines.

Canonical deduplication ensures that the same CVE reported by multiple scanners creates a single Work Item rather than duplicate tickets. If Qualys, Tenable, and CrowdStrike all report CVE-2024-XXXX, Basirah deduplicates into one canonical finding and one owned Work Item with one SLA clock.

Remediation playbooks can auto-execute patch deployment with approval gating for production changes: Ansible, Terraform, kubectl, or custom scripts with simulation before running, rollback procedures, and execution logging.

The verification step is critical: agencies need to demonstrate not just that a patch was applied, but that the vulnerability is no longer exploitable. Basirah’s multiple independent verification methods, from automated re-scan through external audit, are designed to produce PASS/FAIL evidence aligned to BOD 22-01 evidence expectations.

SEC Cyber Disclosure: Materiality and Financial Impact

The SEC’s cybersecurity disclosure rules (effective December 2023) require public companies to:

• Item 1.05 (8-K): Disclose material cybersecurity incidents within four business days of determining materiality
• Item 106 (10-K): Describe the company’s cybersecurity risk management processes, strategy, and governance in annual filings

The materiality determination challenge

The SEC rules hinge on materiality. In practice, many organizations use financial impact quantification to support materiality assessments and defensible governance records.

Companies need:

• Financial risk quantification of vulnerability exposure, not just severity counts
• Defensible methodology that can withstand SEC scrutiny and shareholder litigation
• Documented risk assessments showing how materiality determinations are made

Platform Alignment

Basirah’s FAIR-based risk quantification can provide financial metrics that support SEC-oriented governance workflows: FAIR-based operational risk scoring for day-to-day use, plus governance-level Monte Carlo simulations with P50 and P95 confidence intervals denominated in dollars. Risk governance runs are versioned with full run history and comparison (baseline vs. candidate scenarios), helping teams document how materiality decisions were made.

The executive dashboard provides the leadership narrative for Item 106 (10-K) disclosures: risk trends, verified closure counts, ownership coverage, and SLA attainment presented in financial terms that legal and finance teams can translate directly into materiality determinations.

Risk attribution trails show verifiable connections between remediation investment and quantified risk reduction. Every verified Work Item closure carries a risk delta (baseline ALE minus post-remediation ALE), making it possible to demonstrate ROI on security spending. Campaign briefs and audit narratives generated from real platform data provide the defensible process that both SEC examiners and D&O insurers expect.

FedRAMP RFC-0012 (Draft): Cloud Vulnerability SLAs

As of May 30, 2025, FedRAMP’s RFC-0012 is published as a draft comment request. It proposes tiered vulnerability remediation SLAs for cloud service providers (CSPs) seeking or maintaining FedRAMP authorization. The proposed tiering is based on exploitability and reachability, not just CVSS severity.

Proposed SLA tiers (draft)

Tier	Criteria	SLA
Critical	Actively exploited + externally reachable	3 days
High	Exploit available + reachable	7 days
Moderate	Theoretical exploit + internal	21 days
Outer bound	All other vulnerabilities	192 days

Key differences if adopted

• Exploitability-based: SLAs are driven by real-world exploitability (KEV catalog, public PoC availability), not just CVSS scores
• Reachability matters: Internet-facing assets have shorter windows than internal-only systems
• 192-day outer bound: Even low-severity vulnerabilities must eventually be addressed. No more indefinite risk acceptance.

Platform Alignment

Basirah’s SLA engine supports the multi-dimensional tiering that RFC-0012 proposes. SLA windows can be configured by severity, exploitability status (KEV match, public exploit availability), and asset exposure (internet-facing vs. internal). Draft 3/7/21/192-day windows can map to configurable SLA policies.

Asset context enrichment includes cloud provider, region, account, and resource ID, going well beyond a binary internet-facing/internal classification. This granular context supports FedRAMP’s exploitability-plus-reachability tiering with precision that CVSS-only approaches cannot match. Findings that match KEV entries automatically receive the 3-day critical window.

Continuous monitoring evidence packages are generated automatically via outbox events as Work Items progress through a structured workflow that moves findings through remediation, verification, and evidence generation. They are produced as part of the workflow, not compiled retroactively for monthly ConMon reports.

SIEM forwarding to major security platforms integrates Basirah’s remediation telemetry into existing ConMon infrastructure. The compliance dashboard provides framework-specific posture scoring with drill-down by control, gap analysis highlighting unaddressed requirements, and exportable compliance reports tailored to FedRAMP assessor expectations.

Canada: OSFI Guideline B-13

The Office of the Superintendent of Financial Institutions (OSFI) published Guideline B-13 on Technology and Cyber Risk Management in 2022, effective for all federally regulated financial institutions (FRFIs) including banks, insurance companies, and trust companies. B-13 establishes principles-based requirements for managing technology risks including cybersecurity.

Key requirements

• Vulnerability and patch management: FRFIs must maintain processes for identifying, assessing, and remediating vulnerabilities in a timely manner, with remediation timelines based on severity and exposure
• Defined remediation timelines: Critical and high-severity vulnerabilities must be remediated within defined timeframes with documented justification for any exceptions
• Board and senior management reporting: Technology and cyber risk posture, including vulnerability management metrics, must be reported to the Board and senior management at defined intervals
• Third-party technology risk: Vulnerability management obligations extend to technology services provided by third parties, with FRFIs retaining accountability for risk management
• Testing and assurance: Regular testing including vulnerability assessments and penetration testing with findings tracked through documented remediation

Platform Alignment

Basirah’s find-fix-verify model supports B-13’s vulnerability management requirements. Findings are classified by severity and asset criticality, assigned to owners with SLA windows matching OSFI expectations, tracked through remediation with playbook execution logs, and independently verified before closure. The full lifecycle is auditable with tamper-evident evidence.

For Board reporting, the executive dashboard translates vulnerability posture into governance language: FAIR-based risk quantification provides annualised loss expectancy in dollar terms, SLA attainment rates demonstrate programme discipline, and remediation ROI shows the risk delta from security investment. These metrics support the Board-level reporting B-13 requires without manual report compilation.

Third-party risk visibility is supported through Basirah’s integration capabilities. Vulnerability findings from third-party managed services can be tracked alongside internal findings, providing consolidated visibility into technology risk posture across the FRFI’s full service delivery chain.

Brazil: BCB Resolution 4893

Banco Central do Brasil (BCB) Resolution 4893 (2021) requires all financial institutions authorised to operate by BCB to implement a cybersecurity policy (política de segurança cibernética). The resolution establishes requirements for cybersecurity programmes including vulnerability management, incident response, and periodic risk assessments.

Key requirements

• Cybersecurity policy: Financial institutions must establish, implement, and maintain a cybersecurity policy approved by the Board of Directors
• Vulnerability management: The policy must address identification, assessment, and remediation of cybersecurity vulnerabilities with documented processes
• Incident response: Defined incident response procedures with reporting obligations to BCB
• Periodic risk assessments: Regular cybersecurity risk assessments with documented methodology and findings
• Cloud services: Specific requirements for cybersecurity controls in cloud computing environments, including vulnerability management
• Information sharing: Participation in cybersecurity information sharing arrangements within the financial sector

Platform Alignment

Basirah supports BCB Resolution 4893’s cybersecurity policy implementation through continuous vulnerability lifecycle management. The platform provides the documented processes the resolution requires: every finding is tracked from ingestion through verified closure with ownership, SLA enforcement, and independent verification.

For periodic risk assessments, Basirah’s FAIR-based risk quantification provides the financial impact analysis BCB expects. Risk governance runs with P50 and P95 confidence intervals support the documented methodology requirement. Baseline vs. candidate scenario comparisons demonstrate how risk posture changes over assessment periods.

Cloud-specific requirements are addressed through Basirah’s asset context enrichment, which includes cloud provider, region, account, and resource metadata. Vulnerability management for cloud environments follows the same SLA-driven workflow with cloud-specific context supporting the tiered remediation approach BCB expects.

The compliance dashboard provides framework-specific posture scoring that can support BCB examination responses, with evidence packages tailored to Brazilian regulatory expectations.

Multi-mandate coverage from one workflow

The practical value is straightforward: a single vulnerability entering Basirah can be classified against KEV, CVSS, and exploitability criteria, assigned SLA policies matching whichever mandate applies, tracked through remediation, independently verified, and documented with evidence packages tailored to CISA, SEC, FedRAMP, OSFI, or BCB expectations. Teams running one remediation queue across five regulators avoid the spreadsheet-per-framework overhead that typically consumes compliance cycles.

---

Need an Americas mandate readiness check with your team? Book a compliance operations walkthrough.