CISA issues directive for agencies to patch vulnerabilities

The CISA has published a list of security vulnerabilities, setting deadlines for agencies to have them patched

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive that will now require federal agencies to patch known exploited vulnerabilities within specific time frames.

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. 

CISA has published a catalog listing a total of 291 individual vulnerabilities going back to 2017 that threat actors are currently actively exploiting in attacks against federal entities and other organisations. These have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

The catalog sets hard deadlines, some as soon as November 17th, within which federal agencies are required to patch them.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly.


Taking action to tackle vulnerabilities

CISA issued the directive to drive federal agencies to mitigate actively exploited vulnerabilities on their networks, sending a clear message to all organisations across the country to focus patching on the subset of vulnerabilities that are causing harm now, and enable CISA to drive continuous prioritisation of vulnerabilities based on our understanding of adversary activity.

With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets. All agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organisations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organisation adopt this Directive and prioritise mitigation of vulnerabilities listed in CISA’s public catalog,” added Easterly. 


Rising concerns over security 

The new directive reflects the high level of concern within the government and private sector over attacks like the supply chain assaults involving SolarWinds and Kaseya and campaigns that exploited vulnerabilities in Microsoft Exchange, Pulse VPN, and other VPN products over the past year. 

According to CISA, there were over 18,000 vulnerabilities identified in 2020 alone, and organisations in the public and private sector find it challenging to prioritise limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion.  

This Directive aims to address this challenge by driving mitigations of those vulnerabilities that are being actively exploited to compromise federal agencies and American businesses, building upon existing methods widely used to prioritise vulnerabilities by many organisations today.



Featured Articles

AWS launches 2023 European Defence Accelerator for startups

AWS is launching its European Defence Accelerator, open to startups interested in doing business with defence and national security organisations

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

Cyber Security

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security