CISA Issues Broad Cybersecurity Directive

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to fix several software and hardware vulnerabilities. Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.

The Directive requires agencies to review and update internal vulnerability management procedures within 60 days. At a minimum, agency policies must establish a process for ongoing remediation of vulnerabilities that CISA identifies “as carrying significant risk to the federal enterprise within a timeframe set by CISA.” Agencies have just two weeks to remediate newly discovered vulnerabilities and 6 months to address vulnerabilities that were assigned a Common Vulnerabilities and Exposures (CVE) ID (a rating outlined in the CISA-manage vulnerability catalog) prior to 2021.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” says CISA Director Jen Easterly.

In 2020 alone, over 18,000 vulnerabilities were discovered. Recent cyberattacks backed by foreign adversaries–like the SolarWinds and Microsoft breaches–have forced CISA to change its strategy. Rather than issuing Emergency Directives focused on specific and active vulnerabilities, CISA is moving to catalog all known exploited vulnerabilities and requiring federal agencies to patch those vulnerabilities on a more aggressive timeline.

CISA is also adjusting how it scores risk. The Agency acknowledged that its Common Vulnerability Scoring System (CVSS) does not always accurately represent the danger that a CVE presents. One example is the 2021 Microsoft hack. In that incident, attackers used a method called “chaining,” where hackers use small vulnerabilities to gain entry and then escalate their intrusion. CISA will now identify CVEs and push for agencies to proactively patch exploited areas to prevent attacks.

The increased focus on cybersecurity comes straight from the top–the Biden Administration has issued several executive orders focused on tightening cybersecurity, and in June urged Russian President Vladimir Putin to rein in criminal hacking groups that operate with impunity within Russia. Chris Inglis, the US National Cyber Director, testified to the House Homeland Security Committee on Wednesday that since the summit with President Putin the government has seen a “discernable decrease” but conceded that it is “too soon to tell whether that is because of the material efforts undertaken by the Russians of the Russian leadership.”

The Directive applies only to federal civilian agencies, excluding the Department of Defense and Intelligence Community. However, CISA recommends that state, local, tribal, and territorial governments also prioritize the mitigation of CISA-identified vulnerabilities. The private sector is exposed to many of the same vulnerabilities as the public sector. According to Director Easterly, “it is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”