The Biden administration is requiring civilian federal agencies to fix hundreds of cybersecurity flaws, as reported earlier by The Wall Street Journal. As the WSJ states, the BOD 22-01 directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers around 200 known threats that cybersecurity experts discovered between 2017 and 2020, as well as 90 more flaws that were found in 2021. Federal agencies have six months to patch older threats and just two weeks to fix the ones that were discovered within the past year.
The WSJ report points out that federal agencies are usually left to their own devices when it comes to security, sometimes resulting in poor security management. The goal is to force federal agencies to fix all potential threats, whether they’re major or not, and establish a basic list for other private and public organizations to follow. While zero-day vulnerabilities that exploit previously unknown openings get major headlines, addressing “the subset of vulnerabilities that are causing harm now” can get ahead of many incidents.
Previously, a 2015 order gave federal agencies one month to fix threats deemed “critical risk.” This was changed in 2019 to include threats categorized as “high risk,” as pointed out by the WSJ. The new mandate distances itself from prioritizing specific threat levels and instead acknowledges that small holes can quickly cause larger problems if hackers can find a way to take advantage of them.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” says CISA director Jen Easterly. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
CISA’s newly released list of known vulnerabilities notably includes the Microsoft Exchange Server flaw. In March, emails from over 30,000 US governmental and commercial organizations were hacked by a Chinese group, thanks to four known security holes that, had they been patched, would’ve prevented the attacks. CISA’s list requires patching the “Microsoft Exchange Remote Code Execution Vulnerability” and is calling on federal agencies to install available SolarWinds patches by May 2022.
The Solarwinds Orion Platform is also on the list, which was the victim of a major hack in late 2020 that compromised US government agencies. The CISA notes that the “SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands.”
Cybersecurity has been a priority for President Biden since he entered office. In May, he signed an executive order to help prevent future cybersecurity disasters. The order mandates two-factor authentication across the federal government, establishes a protocol for responding to cyberattacks, and forms a Cybersecurity Safety Review Board, among other safety measures.