The U.S. Cybersecurity and Infrastructure Security Agency today issued a binding operational directive that tackles vulnerabilities in federal agencies’ information technology systems.

The directive has two main elements. First, CISA has created a catalog of more than 300 vulnerabilities that are being actively used by hackers to launch cyberattacks. Second, officials are instructing civilian federal agencies to quickly patch any of their systems that contain vulnerabilities listed in the catalog. Security flaws that were discovered this year must be patched by Nov. 17, while issues reported earlier must be resolved by May 3, 2022, at the latest.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” CISA Director Jen Easterly said in a statement.

CISA officials explained some of the context behind the new database in a fact sheet. Researchers indicate the severity of cybersecurity vulnerabilities they discover using a standard known as the Common Vulnerability Scoring System. Severity is measured on a scale of 0.1 to 10 and the highest-ranked vulnerabilities, with a CVS score of 9 or more, are designated “critical.” CISA said more than 18,000 vulnerabilities were discovered in 2020 alone, including over 10,000 deemed critical.

But cybersecurity issues with a high severity score aren’t always the ones that pose the biggest risk of a data breach. “Attackers do not rely only on ‘critical’ vulnerabilities to achieve their goals,” CISA pointed out. There are examples of hackers combining multiple, lower-severity vulnerabilities to carry out cyberattacks. 

The vulnerability catalog CISA has launched as part of its newly issued directive aims to help federal agencies more effectively address cybersecurity issues in their systems. Instead of containing only vulnerabilities rated critical, the catalog also includes flaws that have a lower severity score but are known to be actively exploited by hackers.

“These vulnerabilities pose significant risk to agencies and the federal enterprise,” CISA stated in the directive. “It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents.”

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” Easterly added. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

Currently, the catalog includes more than 300 vulnerabilities affecting products from IBM Corp., Oracle Corp., Google LLC, Apple Inc. and many other companies. Some of the flaws were originally discovered as early as 2010, while others are from this year. The directive instructing civilian federal agencies to fix the vulnerabilities applies to “all software and hardware found on federal information systems,” CISA said, whether they run on-premises or are hosted by third parties on an agency’s behalf.

Image: CISA