CISA Releases Directive for Federal Agencies, DHS to Lead Known Cyber Vulnerabilities Purge Effort

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) released a binding operational directive with a new strategy guiding civilian federal agencies' management of known exploited vulnerabilities. The catalog of vulnerabilities provides remediation deadlines as early as November 17, 2021.

CISA's directive is the first federal requirement for addressing vulnerabilities affecting both internet-facing assets and assets not facing the internet. The security of information technology and complimentary assets must be ensured for the efficiency of the federal government’s operations, according to CISA, citing over 18,000 vulnerabilities identified in 2020 alone.

A Treasury Inspector General for Tax Administrations audit report conducted in 2018 revealed a lax security culture, reflecting the persistent struggles of some agencies to address cyber threats.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” stated CISA Director Jen Easterly, “The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks.”

Director Easterly stated the catalog would be updated regularly and applied more broadly across the federal enterprise and instructs agencies to include the catalog in their policies and operations.

There are remediation deadlines associated with vulnerabilities listed in the catalog. Some, such as the associated software with the Microsoft attacks earlier this year, are already overdue. Yet, more than 100 of them are slated to be resolved in the coming weeks.

Further, CISA urges organizations across the country to address the vulnerabilities now posing a threat.

“Organizations of all sizes, including the federal government, must protect against malicious cyber actors who seek to infiltrate our systems, compromise our data, and endanger American lives,” stated DHS Secretary Alejandro Mayorkas, “The new order ‘requires federal civilian departments and agencies to protect against critical known vulnerabilities,’ which will reduce the risk of malicious intrusion and increase our collective cybersecurity.”

To comply with the directive, agencies must review and update their vulnerability management policies within 60 days, and CISA may require agencies to provide those policies.