IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

CISA gives civilian agencies two weeks to patch recent security exploits

A total of 291 vulnerabilities have been detailed in an attempt to improve federal agency cyber security

The US' Cyber security and Infrastructure Security Agency (CISA) has published an extensive list of known and actively exploited security vulnerabilities, setting deadlines by which federal civilian agencies must have them all patched.

A total of 291 individual vulnerabilities have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

Federal civilian agencies across the US have been given six months to patch vulnerabilities that received a common vulnerabilities and exposures (CVE) ID before 2021. They have been given just two weeks to patch any exploited issues assigned a CVE this year. This means the deadlines are set at 22 May 2022 and 17 November 2021 for pre- and post-2021 vulnerabilities respectively.

As part of the binding operational directive (BOD 22-01) issued on Wednesday,  all agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

Agencies are also required to establish a process for ongoing remediation of vulnerabilities identified by CISA that may carry a risk to the federal enterprise, establish internal validation and enforcement procedures to ensure adherence to the directive, and set appropriate internal tracking and reporting requirements, among other measures.

In return, CISA promised to regularly update the catalogue of vulnerabilities, define the thresholds used to add vulnerabilities to the catalogue, and provide an annual progress report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director.

"The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy," said CISA in a written announcement. "In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 - an average of 28 per day - are classified 'critical' or 'high severity' vulnerabilities."

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

"The goal of BOD 22-01 is to enable federal agencies, as well as public and private sector organisations, to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks," said CISA. "To accomplish this goal, all organisations should review and refresh their vulnerability management policies and playbooks, refer to the CISA catalogue of known exploited vulnerabilities, and establish a more aggressive turnaround time to protect their networks against urgent, active threats."

The move from CISA follows a similar initiative focused on hardware vulnerabilities. This week, MITRE - the organisation tasked with assigning vulnerabilities their CVE codes and close partner of CISA's - revealed a list of the most important hardware weaknesses of the year.

Like CISA's vulnerability catalogue, the list of weaknesses was published to raise awareness of the issues in common hardware in the hope that it will lead to more secure products on shelves.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Defra's legacy software problem 'threatens' UK gov cyber security until 2030
Business strategy

Defra's legacy software problem 'threatens' UK gov cyber security until 2030

6 Dec 2022