CISA orders federal agencies to take action on cyber vulnerabilities

About a third of those nearly 300 cybersecurity flaws must be remediated within two weeks, according to a DHS directive released Wednesday.
By Kat Jercich
03:09 PM

CISA Director Jen Easterly in 2019

The Cybersecurity Infrastructure and Security Agency this week released a binding operational directive this week requiring federal agencies to patch known exploited vulnerabilities carrying "significant risk" to the federal enterprise.

The directive also established a catalog of nearly 300 vulnerabilities, each with an accompanying due date for taking action. Roughly a third of those due dates fall within two weeks.

"This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf," explained the directive.   

"These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information," it continued.  

WHY IT MATTERS  

As reported by the Wall Street Journal, the directive is one of the widest-ranging mandates of its kind.  

It applies to all departments and agencies, save for the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.

The Journal noted, too, that the directive is the first to require patches for both internet-connected and offline systems.  

Agencies have until November 17 to address the vulnerabilities discovered by cyber professionals in 2021, and up to six months to fix the remaining 200 or so flagged in previous years.  

"These default timelines may be adjusted in the case of grave risk to the Federal Enterprise," the directive read.  

Agencies are also required to review and update agency internal vulnerability management procedures, including providing a copy of those procedures to CISA upon request.  

The policies must, at a minimum:  

  • Establish a process for ongoing remediation of CISA-identified vulnerabilities.
  • Assign roles and responsibilities for executing directive-required agency actions.
  • Define necessary actions required to enable prompt response to directive-required actions.
  • Establish internal validation and enforcement procedures to ensure adherence with the directive.
  • Set internal tracking and reporting requirements to evaluate adherence with this directive, as well as provide necessary reporting to CISA.

In addition, agencies must report on the status of listed vulnerabilities.  

The listed flaws originate with a range of companies, including Google, Apple and Android, although Microsoft is the vendor that appears most frequently. CISA said it will regularly update the catalog.  

CISA said the directive does not replace BOD 19-02, a 2019 directive that requires remediation of critical and high vulnerabilities on internet-facing federal information systems.

"Instead of only focusing on vulnerabilities that carry a specific [common vulnerability scoring system] score, CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors," said the agency in a fact sheet accompanying the directive.  

CISA Director Jen Easterly noted on Twitter that the vulnerability catalog could help members of the private sector as well. "The [binding operational directive] applies to federal civilian agencies; however, ALL organizations should adopt this directive and prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations," she wrote in a post on Wednesday.  

"Knowing which vulnerabilities are currently being exploited by cybercriminals allows the private sector to leverage CISA’s expertise to operate on a more level playing field, and should be an important tool in the never-ending fight against cybercriminals," said Robert Cattanach, a partner at the international law firm Dorsey and Whitney, in a statement sent to Healthcare IT News.  

THE LARGER TREND  

Federal agencies have not been exempt from bad actors' attempts to take advantage of vulnerabilities – and the consequences are often wide-ranging.  

One of the most prominent incidents in recent months, of course, was the SolarWinds breach, which led to the victimization of numerous agencies, including the National Institutes of Health and the Centers for Disease Control and Prevention.   

The SolarWinds Orion Platform appeared on CISA's catalog of vulnerabilities.  

ON THE RECORD  

"The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy. The federal government must improve its efforts to protect against these campaigns by ensuring the security of information technology assets across the federal enterprise," read the directive.  

"Vulnerabilities that have previously been used to exploit public and private organizations are a frequent attack vector for malicious cyber actors of all types. These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents," it continued.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.