‘Groundbreaking’ CISA directive to overhaul cyber vulnerability management process

The Cybersecurity and Infrastructure Security Agency is directing agencies to address hundreds of known cyber exploits within specified time frames under a new process where CISA will regularly update a catalog of known vulnerabilities for priority patching.

The Binding Operational Directive issued today applies to “all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf,” according to CISA. It does not apply to national security systems run by defense and intelligence agencies.

The directive is “groundbreaking in that for the first time, this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries,” CISA Director Jen Easterly said during a House Homeland Security Committee hearing today. “Not just all vulnerabilities, but the ones that we think are most dangerous.”

CISA also noted in a statement that it’s also the first governmentwide mandate to patch vulnerabilities “affecting both internet-facing and non-internet facing assets.”

Rep. Jim Langevin (D-R.I.), chairman of the House Armed Services Cyber, Innovative Technologies and Information Systems Subcommittee, applauded the directive in a statement.

“Since CISA’s inception, I have worked to empower our nation’s leading cybersecurity agency with the tools and authorities needed to protect Americans in cyberspace,” he said. “CISA’s latest Binding Operational Directive — which requires federal agencies to patch more than 250 vulnerabilities that are currently being exploited by our adversaries  will go a long way towards strengthening network security and improving our federal cyber hygiene.”

The directive gives agencies two weeks to address 90 exploits identified in 2021, and six months to address about 200 exploits identified between 2017 and 2020. The cybersecurity flaws are listed on a new CISA-managed catalog of “known exploited vulnerabilities that carry significant risk to the federal enterprise.”

Agencies also have two months to review and update their internal vulnerability management procedures in accordance with the new directive. CISA told agencies to “automate data exchange and report their respective directive implementation status” through the Continuous Diagnostics and Mitigation Federal Dashboard.

The mandate represents a shift in strategy away from CISA issuing one-off emergency directives focused on Common Vulnerabilities and Exposures (CVEs) with “critical” or “high” scores under the Common Vulnerability Scoring System. In December 2020, for instance, CISA issued an emergency directive for agencies to take action on the SolarWinds Orion compromise being exploited by Russian intelligence services to spy on multiple federal departments.

In a fact sheet, CISA said the scores “do not always accurately depict the danger or actual hazard that a CVE presents.”

“Attackers do not rely only on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high,” “medium,” or even “low,’” the fact sheet states.

CISA is also concerned about “chaining,” where multiple vulnerabilities are used together to pull off an attack. “CISA analyzes CVEs as they are disclosed to identify potentially chainable vulnerabilities and will push for them to be patched proactively, effectively preempting some of these attacks before they can be launched,” the fact sheet continues.

Rather than issuing individual directives for each concerning vulnerability, the new directive sets up a mechanism where agencies will get updates from the catalog and must remediate them “within a more aggressive timeline,” according to the fact sheet.

CISA’s threshold for adding a new vulnerability to the catalog include it having a Common Vulnerabilities and Exposures ID; there being “reliable” evidence that the vulnerability has been actively exploited; and there is “clear remediation action for the vulnerability, such as a vendor provided update,” according to CISA.

The agency also said the new policy “enhances” but does not replace a previous directive, BOD 19-02, aimed at remediating “critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.”

While the directive only applies to federal systems, the hope is the new directive will spur more urgency at the state, local and private sector levels as well.

“This directive will significantly improve the federal government’s vulnerability management practices and degrade our adversaries’ ability to exploit known vulnerabilities,” Easterly said at the hearing today. “While the BOD only covers federal civilian agencies, we strongly recommend that every network defender review the known vulnerabilities posted publicly at CISA.gov and prioritize urgent remediation.”

Related Stories

    Amelia Brust/Federal News Network

    CISA tells agencies they don’t have to go it alone on zero trust

    Read more
    AP Photo/Manuel Balce CenetaFILE - In this Feb. 25, 2015 file photo, the Homeland Security Department headquarters in northwest Washington. President Joe Biden has selected two former senior National Security Agency officials for key cyber roles in his administration.  Chris Inglis, a former NSA deputy director, is being nominated as the government's first national cyber director. Jen Easterly, a former deputy for counterterrorism at the NSA, has been tapped to run the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security. (AP Photo/Manuel Balce Ceneta, File)

    CISA looks to tie together public-private partnerships through new cyber planning office

    Read more

Comments