DHS/CISA Mandates Fixing Security Vulnerabilities, Warning Companies to be Vigilant
The Cybersecurity and Infrastructure Security Agency (CISA) issued a sweeping binding directive to federal agencies to patch hundreds of cybersecurity vulnerabilities that are considered major risks for cyber actors to cause damaging intrusions into information systems. The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf.
CISA strongly recommends that the private sector, particularly those in critical infrastructure entities, adopt the Directive and prioritize mitigation of the vulnerabilities listed in CISA’s public catalog. As expectations mount for the private sector, companies of all sizes should consider this directive in the context of their own risk management and response to identified threats. Past directives from the Department of Homeland Security (DHS), such as its advisories on SolarWinds and Microsoft Exchange risks, offer the private sector important guidance that the government increasingly expects private companies to act on.
DHS’ DIRECTIVE SEEKS TO REDUCE RISK FROM KNOWN EXPLOITED VULNERABILITIES
The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten both the public sector and private sector. Vulnerabilities that have been previously used to exploit public and private organizations are a frequent attack vector for malicious cyber actors. Prompt and effective remediation of known exploited vulnerabilities is essential to protecting information systems and reducing costly cyber incidents. While the government and private parties regularly identify vulnerabilities, remediation tends to be ad hoc. DHS is trying to draw attention to risks to force agencies to act and to nudge the private sector.
On November 3, 2021, CISA issued Binding Operational Directive (BOD) 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities,” to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries. The Directive establishes a catalog of known exploited vulnerabilities that CISA will manage and requires federal civilian agencies to remediate vulnerabilities within certain timeframes.
The Directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. The required actions apply to federal information systems, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. The Directive, however, does not apply to statutorily defined “national security systems,” nor to certain systems operated by the Department of Defense or the Intelligence Community.
Within 60 days of the Directive’s issuance, agencies must:
- Establish a process for ongoing remediation of the vulnerabilities that CISA identifies as carrying significant risk to the federal enterprise;
- Assign roles and responsibilities for the required executing agency actions;
- Define necessary actions required to enable prompt response to the Directive;
- Establish internal validation and enforcement procedures to ensure adherence with the Directive; and
- Set internal tracking and reporting requirements.
Agencies must also remediate each vulnerability identified in the CISA-managed vulnerability catalog and report on the status of the vulnerabilities listed in the repository.
THIS DIRECTIVE BINDS CONTRACTORS AND IS AN IMPORANT SIGNAL TO THE PRIVATE SECTOR
CISA is imposing the first government-wide mandate to remediate vulnerabilities affecting both internet-facing and non-internet facing assets. BOD 22-01 seeks to drive federal agencies, federal contractors, and the private sector to mitigate actively exploited vulnerabilities on their networks. CISA is sending a clear message to focus on patching those vulnerabilities that are causing harm now. The goal is to improve vulnerability management practices and dramatically reduce exposure to cyber attacks. This follows a past Binding Operational Directive, 20-01, to agencies to Develop and Publish a Vulnerability Disclosure Policy. It comes after enhancements to the National Institute of Standards and Technology's (NIST) seminal Framework for Improving Critical Infrastructure Cybersecurity, which emphasizes that mature cyber risk management will include vulnerability management programs.
The CISA vulnerability catalog aims to drive mitigations of those vulnerabilities that are being used to actively exploit federal agencies and American businesses. While the directive applies to all federal civilian agencies and federal contractors, other than the Department of Defense and the Intelligence Community, CISA strongly recommends that businesses and state and local governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.
Wiley’s cyber team recommends that companies stay on top of, and develop a way to address, known and emergent vulnerabilities. Remediation and communication about vulnerabilities can be a major challenge, but companies are increasingly expected to ingest third-party security information such as DHS directives. Organizations should be proactive about addressing security issues as part of their risk-based and comprehensive organizational cybersecurity plan.