CISA passes directive forcing federal civilian agencies to fix 306 vulnerabilities

The running list of prioritized vulnerabilities will evolve based on CISA's understanding of adversary activity, the agency said.

CISA issued a new directive on Wednesday that forces federal civilian agencies to remediate at least 306 vulnerabilities commonly exploited during attacks. CISA officials emphasized that the catalog was focused on vulnerabilities they said were "causing harm now" but would also be used as a running list of prioritized vulnerabilities based on their evolving understanding of adversary activity.

Each of the vulnerabilities has a different due date attached to them, with some due to be mitigated by November 17 and others set for May 3, 2022. 

Binding Operational Directive (BOD) 22-01 -- titled "Reducing the Significant Risk of Known Exploited Vulnerabilities" -- applies to all of the software and hardware found on federal information systems, according to the release. That includes vulnerabilities affecting both internet-facing and non-internet facing assets as well as those managed on an agency's premises or hosted by third parties on an agency's behalf.

They urged private businesses and state, local, tribal and territorial governments specifically to address the vulnerabilities in the list and sign up to get notifications when new vulnerabilities are added. 

CISA Director Jen Easterly said that while the directive only applies to federal civilian agencies, all organizations should "prioritize mitigating vulnerabilities listed on our public catalog, which are being actively used to exploit public and private organizations."

"Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors," Easterly said. 

"The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks. While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities." 

CISA noted that the deluge of available vulnerabilities discovered in 2020 alone was over 18,000, making it nearly impossible for organizations to keep up. The problem is exacerbated by the fact that most organizations have small IT teams ill-equipped to handle attacks perpetrated by veteran cybercriminals or nation-states.  

The list features vulnerabilities from dozens of the largest technology companies, ranging from IBM, Oracle and Cisco to Apple, Microsoft, Adobe and Google.

Rep. Jim Langevin, co-chair of the House Cybersecurity Caucus, said the directive would "go a long way towards strengthening network security and improving our federal cyber hygiene."

He noted that President Biden's Cybersecurity Executive Order "includes important elements on Zero Trust, and CISA's BOD is in line with that philosophy of not only looking at perimeter defense."

Ray Kelly, principal security engineer at NTT Application Security, said the catalog was ideal because it could be turned into an actionable list of tasks that can be tracked and verified by different departments.

"Looking at the provided vulnerability catalog, it appears like a good mix of critical vulnerabilities that covers software, firmware and mobile devices," Kelly said. "However, while there is good coverage of high impact vulnerabilities being addressed, its important to note that this doesn't mean continuous assessments and vulnerability analysis should be stopped. Malicious actors will always be looking to take advantage of the next security gap in any organization."

While experts lauded the effort behind the directive, some said there were complex reasons why some things are not always patched.

Chris Grove, chief security strategist at Nozomi Networks, works in the critical infrastructure arena and said that while the directive showed a "progressive approach to securing federal agencies in the next few months," it could not be applied to critical infrastructure systems. 

"There are often legitimate reasons why things are not patched within many critical infrastructure environments. Most notably many turnkey ICS equipment vendors embed technologies within their product, which if forced to implement a patch could break the equipment," Grove said. 

"In some of these cases, an update or patch may void the warranty and violate the manufacturers terms and conditions. Also, some updates require maintenance windows and planned outages. Many ICS entities only schedule downtime every 3-4 years. It's impossible for them to keep up with patching."

Critical Insight CISO Mike Hamilton told ZDNet that what stood out most to him were the vulnerabilities that did not appear to be of high severity.

The directive makes it clear that vulnerabilities that are rated medium and low can be "chained," and that low severity issues cannot be ignored, Hamilton explained. 

"By setting this example for federal agencies and making the catalog widely available, there should be a knock-on effect in the private sector – both with receiving the message that low severity vulnerabilities must be managed, and by providing an explicit list of those known to be useful in exploit chaining," Hamilton said.

"A logical next step may be active scanning for vulnerable systems in the private sector -- starting with critical infrastructure providers -- and providing notifications for vulnerable exposures."