CISA Orders Agencies to Patch Hundreds of Vulnerabilities Under Attack

The Cybersecurity and Infrastructure Security Agency is pursuing a new strategy to guide agencies’ management of vulnerabilities with a binding operational directive that prioritizes their patching operations.

“With over 18,000 vulnerabilities identified in 2020 alone, organizations in the public and private sector find it challenging to prioritize limited resources toward remediating the vulnerabilities that are most likely to result in a damaging intrusion,” CISA said releasing a catalog of 291 vulnerabilities in top technology products including those from Android and Apple for mobile devices.

In the past, the agency’s directives often focused on addressing just one product with a high vulnerability score. 

“Instead of only focusing on vulnerabilities that carry a specific [Common Vulnerability Scoring System] score, CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors,” the agency said in a fact sheet on the new directive. “Also, rather than issue individual emergency directives for each vulnerability of concern, [Binding Operational Directive] 22-01 institutes a mechanism that: establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise; and requires federal civilian agencies to remediate these vulnerabilities within a more aggressive timeline.”

Some of the vulnerabilities listed in the catalog, such as those associated with attacks on Microsoft from earlier this year, were the subject of their own directives and are past due for remediation. Others that were assigned a Common Vulnerabilities and Exposures identification number prior to 2021 must be patched by May of next year under the order. But there are a hundred more current vulnerabilities on the list that must be resolved by Nov. 17.

Agencies are already under a directive to remediate certain vulnerabilities CISA flags on a routine basis. The new order instructs agencies to adjust their policies and operations to include the catalog, which CISA said will be regularly updated and should be applied more broadly across the federal enterprise.

“This directive enhances but does not replace BOD 19-02, which addresses remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service,” the new directive reads. “This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

Agencies have 60 days to review and update their vulnerability management policies in accordance with the directive. CISA may call on them to share those.