The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a binding directive requiring federal government agencies to patch their systems against hundreds of known and previously-exploited security vulnerabilities.
The directive, published Wednesday, covers every major vendor, from Microsoft to IBM, Oracle and Google, and counts nearly 300 CVE submissions among its ranks that CISA said have been exploited in the wild.
"The Directive applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency's behalf," CISA said in announcing the directive. "With this Directive, CISA is imposing the first government-wide requirements to remediate vulnerabilities affecting both internet-facing and non-internet facing assets."
In short, the document asks admins that manage hardware and software under the banner of government agencies to get all of their machines up to date with security patches and be able to keep current with software updates. CISA's directive gives agencies two weeks to patch vulnerabilities with CVEs assigned in 2021, and six months to remediate all other vulnerabilities.
The idea, according to CISA, is to remove the low-hanging fruit that is known software vulnerabilities, with hopes that the directive also rubs off on private companies. While CISA lists hundreds of bugs in its catalog, the agency says it wants to put a priority on "urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries."
"Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors," said CISA director Jen Easterly.
"The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA's public catalog."
Patching security vulnerabilities has been a longstanding best practice for governments and enterprises alike, but getting caught up and staying current on security updates is easier said than done. Previous efforts by the DHS to mandate patch installation have proven to be difficult to actually enforce at the end-user level, leading to agencies being left wide open to publicly-known attacks.
Part of the problem is that, with so many agencies and offices to manage, getting a proper handle on just how many machines a U.S. government agency manages can be difficult, let alone keeping track on when the most recent updates were pushed through the pipeline.
In addition to more aggressive patching requirements, collaboration between the public and private sectors has also been a priority under the Biden Administration. Federal agencies have made efforts to reach out to private companies in hopes of stepping up security against state-sponsored attackers who would target not only government agencies, but their private contractor partners.