CISA: Patch These Bugs Now
CISA is giving federal agencies between two weeks and six months to patch known exploited vulnerabilities.
The US government is again sounding the alarm around vulnerabilities it knows are being exploited in the wild.
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued a new Binding Operational Directive (BOD) - Reducing the Significant Risk of Known Exploited Vulnerabilities - to push agencies that fall under its authorities to patch bugs it knows are being actively exploited.
CISA regularly issues “binding operational directives” and “emergency directives” in which the agency asks others to remediate an issue, usually in response to observed active exploitation using disclosed vulnerabilities. Binding operational directives are commonly issued to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
This BOD applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. While the directive applies to federal civilian agencies, CISA's Director Jen Easterly, encouraged all organizations on Wednesday to adopt it and prioritize mitigating the vulnerabilities.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks,” Easterly said, “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
As part of the BOD, CISA is asking agencies within the next 60 days to review and update their vulnerability management procedures to ensure they're able to mitigate vulnerabilities CISA identifies.
Specifically, CISA is asking agencies to:
b. Assign roles and responsibilities for executing agency actions as required by this directive;
c. Define necessary actions required to enable prompt response to actions required by this directive;
d. Establish internal validation and enforcement procedures to ensure adherence with this Directive; and
e. Set internal tracking and reporting requirements to evaluate adherence with this Directive and provide reporting to CISA, as needed.
If they haven't already, the agencies are also being asked to fix each vulnerability in the CISA catalog. CISA is asking organizations to patch bugs "within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities."
Lastly, CISA is asking agencies to do their due diligence by reporting on that status of vulnerabilities in the repository, either through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard or CyberScope, an automated web-based app developed by the DOJ and DHS that agencies can submit information on the health and security of their computer networks.
The BOD is CISA’s first directive since this past summer when it asked all Federal Civilian Executive Branch agencies to disable the Print Spooler service on Microsoft Active Directory (AD) Domain Controllers (DC) and apply updates issued by Microsoft to Windows Servers and Workstations.
Along with the BOD, CISA rolled out a new catalog, accessible here, that lists all 306 vulnerabilities CISA is warning about. The list can also be saved as an RSS feed for those who find that format easier to keep track of.
The catalog is fairly straight forward, it breaks down each CVE, which platform and product it affects, how each vulnerabilities canbe remediated and when agencies should complete the task.
Former CISA Director Chris Krebs praised the agency's actions on Wednesday, pointing out that by cataloging must-patch vulnerabilities, CISA can help organizations make a risk-based decision on when to patch them, if they haven’t already.