CISA gives civilian agencies two weeks to patch recent security exploits

The US' Cyber security and Infrastructure Security Agency (CISA) has published an extensive list of known and actively exploited security vulnerabilities, setting deadlines by which federal civilian agencies must have them all patched.

A total of 291 individual vulnerabilities have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

Federal civilian agencies across the US have been given six months to patch vulnerabilities that received a common vulnerabilities and exposures (CVE) ID before 2021. They have been given just two weeks to patch any exploited issues assigned a CVE this year. This means the deadlines are set at 22 May 2022 and 17 November 2021 for pre- and post-2021 vulnerabilities respectively.

As part of the binding operational directive (BOD 22-01) issued on Wednesday, all agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

Agencies are also required to establish a process for ongoing remediation of vulnerabilities identified by CISA that may carry a risk to the federal enterprise, establish internal validation and enforcement procedures to ensure adherence to the directive, and set appropriate internal tracking and reporting requirements, among other measures.

In return, CISA promised to regularly update the catalogue of vulnerabilities, define the thresholds used to add vulnerabilities to the catalogue, and provide an annual progress report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director.

"The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy," said CISA in a written announcement. "In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 - an average of 28 per day - are classified 'critical' or 'high severity' vulnerabilities."

"The goal of BOD 22-01 is to enable federal agencies, as well as public and private sector organisations, to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks," said CISA. "To accomplish this goal, all organisations should review and refresh their vulnerability management policies and playbooks, refer to the CISA catalogue of known exploited vulnerabilities, and establish a more aggressive turnaround time to protect their networks against urgent, active threats."

The move from CISA follows a similar initiative focused on hardware vulnerabilities. This week, MITRE - the organisation tasked with assigning vulnerabilities their CVE codes and close partner of CISA's - revealed a list of the most important hardware weaknesses of the year.

Like CISA's vulnerability catalogue, the list of weaknesses was published to raise awareness of the issues in common hardware in the hope that it will lead to more secure products on shelves.