The United States Cybersecurity and Infrastructure Security Agency (CISA) today issued an order mandating most federal agencies to patch hundreds of known cybersecurity vulnerabilities it says are being “actively exploited by adversaries.”
Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, establishes a CISA-managed public catalog of known exploited vulnerabilities and gives federal civilian agencies a specific timeframe within which they must remediate such vulnerabilities.
The directive applies to all hardware and software located on federal information systems, including resources that are managed on agency premises or hosted by third parties for an agency.
BOD 22-01 marks CISA’s first government-wide requirement to remediate flaws impacting both internet-facing and non-internet-facing assets.
CISA urged private businesses and state, local, tribal, and territorial (SLTT) governments to give precedence to remediating vulnerabilities listed in CISA’s catalog.
“As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA director Jen Easterly.
She continued: “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks."
Commenting on the new directive, Greg Fitzgerald, co-founder of Sevco Security, told Infosecurity Magazine: “This mandate is a good first step that will let a lot of companies reduce their attack surface. Unfortunately, the 300 or so vulnerabilities that this order addresses are only a drop in the bucket, and it will fall far short of solving the issue of unpatched vulnerabilities.”
Fitzgerald said a more pressing issue that CISA should be tackling was patching vulnerabilities on assets that IT teams have abandoned or forgotten about.
“Most organizations are unable to create an accurate IT asset inventory that reflects the entirety of their attack surface, which in modern enterprises extends beyond the network to include cloud, personal devices, remote workers as well as all things on premises,” he said.
“This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”