CISA gives civilian agencies two weeks to patch recent security exploits

A total of 291 vulnerabilities have been detailed in an attempt to improve federal agency cyber security

An abstract image showing a skull over a pixelated background to symbolise a cyber security vulnerability

The US' Cyber security and Infrastructure Security Agency (CISA) has published an extensive list of known and actively exploited security vulnerabilities, setting deadlines by which federal civilian agencies must have them all patched.

A total of 291 individual vulnerabilities have been published in a publicly available online catalogue which includes known issues from the likes of Google, Apple, Adobe, Cisco, Citrix, Cisco, and more.

Federal civilian agencies across the US have been given six months to patch vulnerabilities that received a common vulnerabilities and exposures (CVE) ID before 2021. They have been given just two weeks to patch any exploited issues assigned a CVE this year. This means the deadlines are set at 22 May 2022 and 17 November 2021 for pre- and post-2021 vulnerabilities respectively.

As part of the binding operational directive (BOD 22-01) issued on Wednesday,  all agencies have been told they must review their internal vulnerability management procedures in accordance with the directive within 60 days.

Agencies are also required to establish a process for ongoing remediation of vulnerabilities identified by CISA that may carry a risk to the federal enterprise, establish internal validation and enforcement procedures to ensure adherence to the directive, and set appropriate internal tracking and reporting requirements, among other measures.

In return, CISA promised to regularly update the catalogue of vulnerabilities, define the thresholds used to add vulnerabilities to the catalogue, and provide an annual progress report to the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the National Cyber Director.

"The impact of cybersecurity intrusions that leverage vulnerabilities in information technology and operational technology products threaten the public sector, the private sector, and ultimately the American people’s security and privacy," said CISA in a written announcement. "In 2020, industry partners identified a total of 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs). Of these, 10,342 - an average of 28 per day - are classified 'critical' or 'high severity' vulnerabilities."

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

"The goal of BOD 22-01 is to enable federal agencies, as well as public and private sector organisations, to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks," said CISA. "To accomplish this goal, all organisations should review and refresh their vulnerability management policies and playbooks, refer to the CISA catalogue of known exploited vulnerabilities, and establish a more aggressive turnaround time to protect their networks against urgent, active threats."

The move from CISA follows a similar initiative focused on hardware vulnerabilities. This week, MITRE - the organisation tasked with assigning vulnerabilities their CVE codes and close partner of CISA's - revealed a list of the most important hardware weaknesses of the year.

Like CISA's vulnerability catalogue, the list of weaknesses was published to raise awareness of the issues in common hardware in the hope that it will lead to more secure products on shelves.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Jack Dorsey resigns as Twitter CEO
business management

Jack Dorsey resigns as Twitter CEO

29 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021