CISA issues directive for agencies to patch vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive that will now require federal agencies to patch known exploited vulnerabilities within specific time frames.
This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf.
CISA has published a catalog listing a total of 291 individual vulnerabilities going back to 2017 that threat actors are currently actively exploiting in attacks against federal entities and other organisations. These have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.
The catalog sets hard deadlines, some as soon as November 17th, within which federal agencies are required to patch them.
“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly.
Taking action to tackle vulnerabilities
CISA issued the directive to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organisations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritisation of vulnerabilities based on our understanding of adversary activity.
With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets. All agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organisations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organisation adopt this Directive and prioritise mitigation of vulnerabilities listed in CISA’s public catalog,” added Easterly.
Rising concerns over security
The new directive reflects the high level of concern within the government and private sector over attacks like the supply chain assaults involving SolarWinds and Kaseya and campaigns that exploited vulnerabilities in Microsoft Exchange, Pulse VPN, and other VPN products over the past year.
According to CISA, there were over 18,000 vulnerabilities identified in 2020 alone, and organisations in the public and private sector find it challenging to prioritise limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion.
This Directive aims to address this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritise vulnerabilities by many organisations today.