CISA gives civilian agencies two weeks to patch recent security exploits

An abstract image showing a skull over a pixelated background to symbolise a cyber security vulnerability
(Image credit: Shutterstock)

The US' Cyber security and Infrastructure Security Agency (CISA) has published an extensive list of known and actively exploited security vulnerabilities, setting deadlines by which federal civilian agencies must have them all patched.

A total of 291 individual vulnerabilities have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

Federal civilian agencies across the US have been given six months to patch vulnerabilities that received a common vulnerabilities and exposures (CVE) ID before 2021. They have been given just two weeks to patch any exploited issues assigned a CVE this year. This means the deadlines are set at 22 May 2022 and 17 November 2021 for pre- and post-2021 vulnerabilities respectively.

As part of the binding operational directive (BOD 22-01) issued on Wednesday, all agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

Agencies are also required to establish a process for ongoing remediation of vulnerabilities identified by CISA that may carry a risk to the federal enterprise, establish internal validation and enforcement procedures to ensure adherence to the directive, and set appropriate internal tracking and reporting requirements, among other measures.

In return, CISA promised to regularly update the catalogue of vulnerabilities, define the thresholds used to add vulnerabilities to the catalogue, and provide an annual progress report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director.

"The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy," said CISA in a written announcement. "In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 - an average of 28 per day - are classified 'critical' or 'high severity' vulnerabilities."

RELATED RESOURCE

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

FREE DOWNLOAD

"The goal of BOD 22-01 is to enable federal agencies, as well as public and private sector organisations, to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks," said CISA. "To accomplish this goal, all organisations should review and refresh their vulnerability management policies and playbooks, refer to the CISA catalogue of known exploited vulnerabilities, and establish a more aggressive turnaround time to protect their networks against urgent, active threats."

The move from CISA follows a similar initiative focused on hardware vulnerabilities. This week, MITRE - the organisation tasked with assigning vulnerabilities their CVE codes and close partner of CISA's - revealed a list of the most important hardware weaknesses of the year.

Like CISA's vulnerability catalogue, the list of weaknesses was published to raise awareness of the issues in common hardware in the hope that it will lead to more secure products on shelves.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.