The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive that will now require federal agencies to patch known exploited vulnerabilities within specific time frames.
CISA has published a catalog listing approximately 290 vulnerabilities going back to 2017 that threat actors are currently actively exploiting in attacks against federal entities and other organizations. The catalog sets hard deadlines — some as soon as Nov. 17 — within which federal agencies are required to patch them.
CISA will update the catalog on a continuing basis with information on new vulnerabilities that attackers might be exploiting and that also present certain specified minimum levels of risk to federal agencies.
The agency — which is part of the US Department of Homeland Security — described its Binding Operational Directive (BOD) 22-01 as designed to get federal agencies to address more quickly those vulnerabilities that are known to pose significant risk. “It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents,” the DHS said in an advisory on Wednesday.
CISA’s directive applies only to vulnerabilities on information systems belonging to civilian federal agencies that are hosted on agency premises or by third parties on the agency’s behalf. But private sector organizations can use the catalog and patching deadlines to improve their vulnerability management practices and reduce exposure to cyberattacks.
The new directive reflects the high level of concern within government and the private sector over attacks like the supply chain assaults involving SolarWinds and Kaseya and campaigns that exploited vulnerabilities in Microsoft Exchange, Pulse VPN, and other VPN products over the past year. The attacks affected a wide number of organizations and often involved vulnerabilities that organizations should have known about and patched against long ago.
Jamil Jaffer, former associate White House Counsel to President George W. Bush and current senior vice president at IronNet, says CISA’s directive is not entirely a surprise given the current threat environment.
“We have seen a number of large-scale incidents take place, including the Solar Winds hack and increased Nobelium activity
noted recently by Microsoft,” he says. “We’ve known for a long time that our private and public sectors are targeted by sophisticated nation-state attackers.’ and it’s no surprise that the federal government is trying to get their own house in order.”
Building on Previous Directives
CISA’s latest directive builds on two earlier directives that it issued around vulnerability patching. The first in May 2015 required federal agencies to mitigate known “critical risk” vulnerabilities within 30 days of the flaws being publicly disclosed. At the time, the agency described the move as being fueled by concern over the length of time it took agencies — sometimes even 300 days — to fix critical security issues.
CISA issued a second BOD in April 2019, which reduced the time frame for fixing critical issues to 15 days. The directive also put a deadline for less severe but still “high risk” vulnerabilities to be patched in 30 days. CISA’s 2019 directive was spurred by concerns over the growing speed at which attackers were exploiting freshly disclosed flaws and by a massive increase in the number of critical and high-risk vulnerabilities being disclosed.
The latest directive takes CISA’s vulnerability management strategy in a new direction: Instead of focusing just on vulnerabilities with high severity scores on the CVSS scale, the new directive sets specific patching deadlines for any vulnerability — critical, high, medium, or low severity — that is being actively exploited in attacks.
CISA said its decision is based on the fact that Common Vulnerability Scoring System (CVSS) scores alone are not an indication of the threat a specific flaw might present to organizations. Increasingly, attackers have begun chaining together flaws of varying severity in their attacks, CISA said.
For example, the agency pointed to the so-called ProxyLogon set of four flaws in Microsoft Exchange Server that Russia’s Nobelium group and others have exploited in a wave of attacks earlier this year. In these attacks, threat actors used relatively low-severity flaws to gain an initial foothold on a target network and then incrementally elevated privileges by abusing additional vulnerabilities.
“I anticipate this is one of many actions we will see in the coming months to improve the security posture of federal civilian agencies,” says Allie Mellen, an analyst at Forrester Research.
Earlier this year, President Biden issued an executive order that, among other things, imposed new threat monitoring requirements for federal agencies. CISA’s directive focuses on improved cyber hygiene another essential component of threat defense. “[The directive] speaks to the importance of getting the basics right first and on an ongoing basis. We talk about the importance of patching a lot — and now we have the directive to start enforcing it,” Mellen notes.
Many of the known exploited vulnerabilities in the new CISA catalog have patching deadlines of May 3, 2022. But numerous others have a Nov, 17 deadline meaning federal agencies have just 14 days to address the flaws. That deadline could be challenging for agencies to meet considering the amount of work that is likely required, security experts said.
“The CISA deadlines are somewhat arbitrary but are a good example of what every cybersecurity team should be doing on their own,” says Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber.
The effort should be to identify and prioritize cyber-risk, then implement an achievable plan to mitigate the vulnerabilities that pose the most risk to the business. “No doubt vulnerability remediation is a difficult, dirty job. If it wasn’t, and our cyber hygiene was perfect, CISA wouldn’t bother us with a list of known vulnerabilities like this, he says.
Bud Broomhead, CEO at Viakoo, says federal agencies are likely to face the biggest challenge in IoT and OT environments where remediation has been a larhely manual process till recently. “Agencies will have to bring in new technologies to deal with the scale and complexity,” he predicts. “It will be virtually impossible to meet these deadlines using manual methods of patching systems.”
IronNet’s Jaffer says CISA’s directive makes clear that this is an initiative the government wants federal agencies to execute and complete on an urgent basis. But the short time frame for addressing some of the flaws will likely make compliance challenging for agencies — some more so than others.
“For operational directives, CISA has a process whereby departments and agencies are required by law to develop a plan to comply — and ultimately comply — with binding operational directives,” Jaffer says. An escalation process exists for prioritizing the issue in case an agency fails to comply by deadline. DHS/CISA will be responsible for using this process to put pressure on agency heads to ensure the directives are met.
“In addition, Congress might raise pressure by requesting briefings and reports on how agencies are doing on meeting the directive requirements, including through the Government Accountability Office,” he notes.
Forrester’s Mellen says that CISA will likely be reporting status of these requirements up to Secretary of Homeland Security, the Director of the Office of Management and Budget, and the National Cyber Director.
“This is another step establishing CISA as the de facto leader on security in the federal government,” Mellen adds, “especially with regards to civilian agencies.d”