CISA releases directive to remediate dangerous vulnerabilities across civilian agencies

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a wide-ranging mandate, a Binding Operational Directive (BOD 22-01), for all civilian federal agencies “to drive urgent and prioritized remediation of vulnerabilities that are being actively exploited by adversaries.” The goal of the BOD is to help agencies clarify and focus their remediation efforts in the face of thousands of discovered vulnerabilities – 18,000 in 2020 alone – and prioritize those deemed most dangerous for remediation.

The directive requires the agencies to remediate the vulnerabilities within specified time frames relying on a CISA-managed catalog of known exploited vulnerabilities. CISA says this directive enhances but does not replace BOD 19-02,  issued in April 2019 to address remediation requirements for critical and high vulnerabilities on internet-facing federal information systems identified through CISA’s vulnerability scanning service.

This latest directive addresses non-internet-facing assets and applies to all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf. However, CISA strongly recommends “that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.”

Federal agencies have 60 days to review and update agency internal vulnerability management procedures under the directive. Agencies must remediate within six months those vulnerabilities that pose significant risk and have a Common Vulnerabilities and Exposures (CVE) ID assigned before 2021. All other vulnerabilities must be remediated within two weeks. The directive encompasses 200 known security flaws identified by cybersecurity professionals between 2017 and 2020, plus 90 discovered in 2021.

CISA directive is “groundbreaking”

The directive is “groundbreaking in that for the first time, this is giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries,” CISA Director Jen Easterly said during a House Homeland Security Committee hearing held hours after the directive’s release. “Not just all vulnerabilities but the ones we think are most dangerous.” The directive “will effectively improve the federal government’s vulnerability practices and degrade our adversaries’ ability to exploit known vulnerabilities.”

The committee members appeared to warmly received the directive. Congressman Jim Langevin (D-RI), chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems (CITI), praised the effort. In a statement, he said that CISA’s latest BOD “will go a long way towards strengthening network security and improving our federal cyber hygiene.”

Former government officials and current cybersecurity experts also generally think the directive is a good move. “It’s a step in the right direction,” Theresa Payton, former White House CIO and current CEO of cybersecurity company Fortalice Solutions, tells CSO.

“I think anything that can be done to help agencies prioritize is always useful,” Joseph Stuntz, former OMB official and now director of federal and platform at data encryption and digital privacy company Virtru, tells CSO. “Because DHS has the wider lens than any one agency, at least on the civilian side, giving a little bit more of a risk-informed, a threat-informed approach to vulnerability management is a positive thing.”

Compressed timeframe to address vulnerabilities could pose problems

The compressed time frame and the sheer number of cybersecurity tasks that federal agencies already face could raise a host of practical obstacles in meeting the directive’s requirements. “I have concerns, and I’ve got more questions than answers right now,” Payton says. “It appears to be an unfunded mandate,” which could hamper agencies’ ability to hire personnel or spend funds to comply with the mediation requirements.

“A CISA-managed catalog is a great concept, but I’m wondering about redundancy here. There already is a vulnerability disclosure process that DHS-CISA has, that the FBI through InfraGuard has. Then private sector companies like Microsoft, Apple, Cisco and IBM also send out alerts around exploited vulnerabilities and what to do about them,” Payton says. “So there feels like there’s a little bit of redundancy here.”

According to Payton, the timing of the directive, coming on the cusp of the holiday season, might compound the difficulties. “My concern is, wow, it’s been a challenging time, and you’re just in time for the holidays. If it were easy to remediate these vulnerabilities, the departments and agencies would have done it.”

Jim Gogolinski, vice president of research and intelligence at cloud security firm iboss, underscored the time-frame challenges. “What’s left to be seen though is whether agency teams and their vendors are prepared to actually make all these patches within the required window,” he said in a statement. “This may force non-compliance or require a change in software or procedures to bring the organization back into compliance, which could be a lengthy and expensive process.”

Why do agencies fail to remediate vulnerabilities?

The question arises: Why haven’t agencies been remediating the most dangerous vulnerabilities all along? “Getting a clearer picture of the risk isn’t easy,” Stuntz says. “You have to have a better sense of what’s out there in terms of versions, in terms of what is being exploited, and how it is being exploited. DHS is stepping up to the plate a little bit here in terms of, ‘We’re going to provide you as close to a prioritized list as we can.’ Then agencies are going to have to do the hard work of tailoring it for their own environments.”

However, Fortalice’s Payton thinks the DHS should probe deeper into why agencies have failed to remediate the vulnerabilities. “I would encourage DHS to understand the blocks that exist that have kept them from implementing the fixes and look for ways to address those at the top level, instead of every agency fend for yourself.”

If the barriers to good remediation stem from the chronic lack of cybersecurity talent typical of most government agencies, Payton suggests bringing in outside help. For example, “I would love to see DHS provide a tiger team [a group of cross-functional experts charged with solving a specific problem or critical issue] that could be set up to visit and assist these lagging departments and agencies with implementations.”

“We have to get more creative,” Payton says. “We need bold, creative, new thinking because just giving people a scorecard, marking them red and yellow, and saying, ‘You didn’t make the deadline,’ is not going to get us where we need to be.”