Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)
CISA Directs Federal Agencies to Patch Known Vulnerabilities
BOD 22-01 Imposes Strict Deadlines for Remediation of Publicly Known ExploitsThe U.S. Cybersecurity and Infrastructure Security Agency on Wednesday issued a new directive requiring federal civilian agencies to patch vulnerabilities known to be actively exploited in the wild.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
CISA says in a statement that the Binding Operational Directive, or BOD, 22-01 - "Reducing the Significant Risk of Known Exploited Vulnerabilities" - will "drive urgent and prioritized remediation of vulnerabilities." The agency says the directive establishes a CISA-managed catalog of vulnerabilities that must be addressed within specific time frames. This includes requirements to remediate within six months for common vulnerabilities and exposures, or CVEs, assigned prior to 2021, and within two weeks for all other vulnerabilities.
Approximately 200 vulnerabilities from 2017 and 2020, and 90 from 2021, make up the initial publication. The agency says it will regularly update the document with new vulnerabilities that meet specified thresholds, based on evidence that they are actively being leveraged by a threat actor.
The directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency's behalf, CISA says. It is the first governmentwide requirement to remediate vulnerabilities affecting both internet-facing and non-internet-facing assets.
'Drive Efforts Toward Mitigation'
CISA Director Jen Easterly says of BOD 22-01, "As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of specific vulnerabilities that we know to be actively used by malicious cyber actors."
In a hearing before the House Homeland Security Committee on Wednesday, Easterly noted, "[This] new, binding operational directive fundamentally changes how the federal civilian government addresses vulnerabilities being actively exploited by our adversaries.
"[It] will significantly improve the federal government's vulnerability management practices and degrade our adversaries' ability to exploit known vulnerabilities. … I think that can make a real difference not just for federal agencies, but from a signaling perspective for our critical infrastructure owners and operators to businesses large and small around the country."
"Jen Easterly is building a comprehensive approach to cybersecurity," says James A. Lewis, a cybersecurity researcher for the Center for Strategic and International Studies. "This catalog is a great first step. There is customer demand for it."
Thousands of CVEs and Counting
CISA says over 18,000 CVEs were identified in 2020 alone. Of these, 10,342 - or about 28 per day - are classified as “critical” or “high-severity” vulnerabilities, according to a fact sheet on the new directive.
"The issue [here] is, as always, [the] follow-up," CSIS' Lewis tells ISMG. "It's not enough to just tell people about a vulnerability; you have to see if they actually do something to remedy it. Let's see what CISA, the Office of Management and Budget, the National Security Council and the Office of the National Cyber Director come up with to ensure federal action so that we get full value from this catalog."
Bill Lawrence, a former cybersecurity instructor at the U.S. Naval Academy and currently CISO with the firm SecurityGate, tells ISMG, "CISA continues to impress with its focus on defending government networks and systems by executing on the basics of cyber 'blocking and tackling.' It is disappointing that it takes a Binding Operational Directive, [however,] for U.S. federal departments and agencies to implement critical patches. But kudos to CISA for recognizing this issue and using its authorities to enforce action."
Mike Hamilton, former vice chair for the Department of Homeland Security State, Local, Tribal, and Territorial Government Coordinating Council, says: "The directive continues the aggressive approach by the Biden administration to shore up the defensive posture of federal agencies by making it clear that vulnerabilities must be managed - even if they do not appear to be of high severity."
Hamilton, who is currently CISO of the firm Critical Insight, adds: "There should be a knock-on effect in the private sector. … A logical next step may be active scanning for vulnerable systems in the private sector - starting with critical infrastructure providers."
Patching Habits
In 2015, the National Protection and Programs Directorate, a precursor to CISA, determined that it took federal agencies as many as 200 to 300 days to remediate vulnerabilities, according to CISA. The directive BOD 15-01 then required federal agencies to resolve "critical risk" vulnerabilities within 30 days. This was followed by BOD 19-02, which pushed that "critical risk" remediation window to 15 days and added a 30-day window for remediating "high-risk" vulnerabilities.
Between 2015 and 2018, however, the number of new vulnerabilities surged from 6,487 to 17,305, and 9,883 of those were deemed "high-risk" or "critical." Still, CISA says, the adaptability, sophistication and speed at which cyber adversaries move has outpaced agencies' improved remediation time.
Since 2019, CISA has issued emergency directives instructing agencies to focus their efforts and resources on specific vulnerabilities - including the SolarWinds Orion code compromise and on-premises Microsoft Exchange servers, among others.
CISA notes, however, that risk scores based on the Forum of Incident Response and Security Teams' Common Vulnerability Scoring System, or CVSS, "do not always accurately depict the danger or actual hazard that a CVE presents." In some cases, the agency says, many "critical" vulnerabilities remain highly complex and are not exploited in the wild. CISA says just 4% of the total number of CVEs have been publicly exploited. Still, of that 4%, 42% are used on day zero of disclosure, and 50% are used within two days. Some of these have "medium" or even "low" risk scores.
Under BOD 22-01, within 60 days of issuance, agencies are also required to:
- Review and update internal vulnerability management procedures;
- Assign requisite roles and responsibilities;
- Define actions, establish internal validation procedures and set tracking and reporting requirements.
CISA will also report findings annually to the secretary of Homeland Security, the director of the Office of Management and Budget and the national cyber director.