CISA directive requires vulnerability fixes in 6 months

A new binding operational directive puts federal civilian agencies on a six-month clock to remediate known vulnerabilities.

A new binding operational directive puts federal civilian agencies on a six-month clock to remediate known vulnerabilities.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly told members of the House Homeland Security Committee at a Nov. 3 hearing that the new directive will help federal agencies to prioritize their efforts to patch actively exploited vulnerabilities on their networks, while sending a clear message to private businesses, as well as state, local, tribal and territorial governments about which vulnerabilities should be immediately addressed.

"For the first time, this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries, not just all vulnerabilities but the ones that we think are most dangerous," Easterly said. "I think that can make a real difference, not just for federal agencies, but from a signaling perspective for critical infrastructure owners and operators, and from businesses large and small around the country."

The directive applies to all software and hardware found on federal information systems, including those on agency premises or hosted by third parties on an agency’s behalf.

As part of the directive, CISA released a public catalog featuring known exploited vulnerabilities and specific timeframes for federal agencies to remediate those risks. More than 18,000 new cybersecurity vulnerabilities potentially impacting both federal agencies and private-sector companies were discovered just last year, according to CISA, which classified over 10,000 of those as "critical" or "high severity" vulnerabilities.

The CISA catalog features 90 exploited vulnerabilities identified last year and nearly 200 discovered between 2017 and 2020 which pose significant risks to networks. CISA said it would continue to regularly update the catalog as new vulnerabilities were identified which meet specific thresholds. Those thresholds require the exploited vulnerability to have undergone an executive-level review at CISA, as well as reliable evidence that vulnerability has been actively exploited and that a clear remediation action exists to address the issue.

The directive also gives agencies 60 days to respond to CISA with detailed information on their own vulnerability management policies and practices, including information on roles and responsibilities.

This article was first posted to FCW.