The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) forcing federal agencies to remediate known and exploited vulnerabilities within CISA’s given timeline.
The BOD is a compulsory directive that applies to federal, executive branches, departments, and agencies for purposes of safeguarding federal information systems.
The directive aims at reducing the significant risks of known exploited vulnerabilities by patching them promptly to avoid exposure time.
The agency also published a list of about 300 previously exploited vulnerabilities that federal agencies should address within the timetable.
CISA publishes a catalog of commonly exploited vulnerabilities
CISA released a catalog of common vulnerabilities and exposures (CVEs) and timelines to fix them. In 2020, CISA discovered about 18,000 vulnerabilities, with more than half (10,000) being critical or high severity.
However, the catalog features only 90 commonly exploited vulnerabilities discovered in 2020 and 200 others discovered as early as 2017.
CISA says that updating the catalog is an ongoing process. It would include recently exploited vulnerabilities that meet the set criteria after undergoing executive-level review.
Some of the conditions for inclusion include the existence of CVE ID, exploitation in the wild, and availability of mitigations.
The catalog features products from Apple, Adobe, Accellion, Apache, Android, Cisco, Docker, F5, Fortinet, Ivanti, Kaseya, SolarWinds, Microsoft, QUALCOMM, Pulse, SAP, TeamViewer, Oracle, WordPress, Mozilla, Sophos, NetGear, Citrix, PlaySMS, Roundcube, Realtek, Trend Micro, Symantec, among others.
Apple had 23 commonly exploited vulnerabilities, mostly affecting mobile devices, and Android had four security flaws listed, highlighting the evolving landscape of mobile threats.
Similarly, Google had 22 commonly exploited vulnerabilities affecting Google Chrome browser or the Chromium engine, while Microsoft earned the top spot with 80 vulnerabilities appearing on CISA’s catalog.
Tim Erlin, VP of Strategy at Tripwire, says that CISA leveled the playing field for organizations to determine which vulnerabilities to prioritize.
“It’s no longer up to each individual agency to decide which vulnerabilities are the highest priority to patch. The positive outcome to expect here is that agencies will address these vulnerabilities more effectively with this guidance,” said Erlin.
“There’s also a risk that this approach won’t account for nuances in how risk is assessed for each agency, but there’s plenty of evidence that such nuances aren’t being accounted for now either.”
However, he noted that the directive would not automatically improve organizations’ ability to remediate exploited vulnerabilities unless supported by other actions, such as the President’s Executive Order on cybersecurity.
Roger Grimes, Data Drive Defense Evangelist, KnowBe4, noted that only 2% of vulnerabilities discovered every year were under active exploitation by attackers. However, knowing which ones to address was problematic for most organizations.
“Well, CISA is now maintaining that list. They call it a vulnerability management catalog. But what they put in their log is only actively exploited vulnerabilities. So, you want to know what you really need to patch? There you go.”
He added that the catalog also solved the problem of determining how fast network defenders should patch exploited vulnerabilities.
“Most regulations say something general, like “apply critical patches in a timely manner,” Grimes continues. “CISA is telling you what is critical…it is in their catalog. Second, they are saying it needs to be done within two weeks (subject to change). There you go. They have officially defined “timely.”
Federal agencies have two weeks to fix commonly exploited vulnerabilities
CISA directed federal agencies to fix the exploited vulnerabilities with “significant risks” to federal agencis and whose CVE IDs were assigned prior to 2021 within 6 months. And federal agencies have two weeks to remediate all other vulnerabilities listed whose CVE IDs were assigned after 2021.
CISA says that instead of basing its directive on the CVSS score, it prioritizes CVEs being actively exploited in the wild. “BOD 22-01 drives federal agencies to mitigate the vulnerabilities on their networks that are most likely to result in a damaging intrusion,” CISA noted.
“It’s an unfortunate fact that some government agencies can be among the slowest institutions to implement security patches in a timely manner,” said Chris Clements, VP of Solutions Architecture, Cerberus Sentinel.
“There are three major things at play here. First, some agencies rely on software only compatible with unsupported underlying systems such as Windows Server 2003 or even Windows XP Embedded.”
Clements highlighted the challenges posed by legacy software that would break the platform it runs on if patched, and upgrading to a newer ecosystem seems too expensive.
“This, however, is penny smart and pound foolish,” Clements continued. “With modern cyberattacks now routinely reaching into the millions of dollars of damages, especially with ransomware, leaving a known vulnerable system online becomes an expensive risk.
However, David White, Founder and President of Axio was critical for the 14-day ultimatum issued to federal agencies.
“It’s a step in the right direction for DHS to issue federal orders in alignment with directives that apply to the private sector,” White said. “However, the 2-week requirement for federal IT systems is still more lenient than the 7-day requirement recently issued by DHS-TSA, which applies to the private sector.
“Consistency in remediation timelines would assist DHS in moving away from voluntary standards and lax federal compliance schemes to more stringent and timely requirements backed by enforcement.”
However, CISA says it may adjust the timelines based on the risk that the exploited vulnerabilities posed to the Federal Enterprise.
CISA also requires that federal agencies must implement procedures for remediating future vulnerabilities that it identifies within the given timelines. This process involves assigning roles and responsibilities, defining the necessary actions, and establishing internal validation and enforcement procedures. They must also set internal tracking and reporting requirements to evaluate compliance with the directive and to report back to CISA.
Additionally, federal agencies should review and update agency internal vulnerability management procedures within 60 days and make them available when requested.
Directive applies to all federal information systems, including third party-managed
The directive has a wide scope covering all software and hardware managed on agency premises or hosted by third parties on behalf of federal agencies.
Similarly, it applies to any federal information system, including an information system that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
“One of the biggest challenges within the federal government is maintaining a vast array of disparate computer systems owned by dozens of different agencies,” noted Crane Hassold, Director of Threat Intelligence at Abnormal Security. “This is why CISA is so critical in today’s world of constant cyber threats from state actors and cybercriminals.”
Appearing before the House Homeland Security committee, CISA director Jen Easterly says the binding directive would improve the federal government’s vulnerability management practices. She also noted that while the directive only applies to federal civilian agencies, every network defender should implement the proposals.
“As we know, everything is connected, everything is interdependent. These days, since everything sits on that technology baseline and therefore everything is potentially vulnerable,” sad Easterly.
Saryu Nayyar, CEO, Gurucul, noted that it was refreshing that CISA took leadership in mandating vulnerability patching. “Too many organizations think patching software is optional and doesn’t have to be done immediately,” said Nayyar. “It’s refreshing to see that CISA has listed a comprehensive list of known vulnerabilities along with relevant patches. Every organization, even those outside of the government, should obtain this list and use it to check their own patch programs.”