CISA issues directive for agencies to patch vulnerabilities

The CISA has published a list of security vulnerabilities, setting deadlines for agencies to have them patched

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive that will now require federal agencies to patch known exploited vulnerabilities within specific time frames.

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. 

CISA has published a catalog listing a total of 291 individual vulnerabilities going back to 2017 that threat actors are currently actively exploiting in attacks against federal entities and other organisations. These have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

The catalog sets hard deadlines, some as soon as November 17th, within which federal agencies are required to patch them.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly.


Taking action to tackle vulnerabilities

CISA issued the directive to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organisations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritisation of vulnerabilities based on our understanding of adversary activity.

With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets. All agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organisations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organisation adopt this Directive and prioritise mitigation of vulnerabilities listed in CISA’s public catalog,” added Easterly. 


Rising concerns over security 

The new directive reflects the high level of concern within the government and private sector over attacks like the supply chain assaults involving SolarWinds and Kaseya and campaigns that exploited vulnerabilities in Microsoft Exchange, Pulse VPN, and other VPN products over the past year. 

According to CISA, there were over 18,000 vulnerabilities identified in 2020 alone, and organisations in the public and private sector find it challenging to prioritise limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion.  

This Directive aims to address this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritise vulnerabilities by many organisations today.



Featured Articles

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

See Below for a Newly Announced Speaker List for Tech Show London 2024, as it Promises to Showcase Technology Trends Will Impact Various Sectors

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Security