In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022. In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA.
SEE: Patch management policy (TechRepublic Premium)
The directive applies to all software and hardware located on the premises of federal agencies or hosted by third parties on behalf of an agency. The only products that seem to be exempt are those defined as national security systems as well as certain systems operated by the Department of Defense or the Intelligence Community.
All agencies are being asked to work with CISA’s catalog, which currently lists almost 300 known security vulnerabilities with links to information on how to patch them and due dates by when they should be patched.
The catalog contains a record for each vulnerability with a CVE number, vendor, product name, vulnerability name, date added, description, action, due date and notes. The CVE number links to the NIST vulnerability database, which contains further details as well as the steps on how to patch the flaw.
The catalog specifically contains exploited vulnerabilities that CISA believes pose security risks to the federal government. Due dates for patching vary, with most of them due either November 17, 2021, or May 3, 2022. Vulnerabilities with CVEs assigned before 2021 list the May 3 due date, while those assigned this year carry the November 17 date. Beyond manually consulting the catalog, agencies can sign up for an email update alerting them to new vulnerabilities.
Patch management is one of the most challenging security tasks for any organization. Trying to keep up with all the vulnerabilities discovered each day and determining which ones need to be patched and how is a large part of the challenge.
With its own catalog, CISA is trying to remove some of the complexity for government agencies by listing which vulnerabilities are considered critical and actively being exploited, along with how they can be patched and by when. Since the catalog is publicly accessible on the web, the private sector also can consult it for help in patching critical vulnerabilities.
“By providing a common list of vulnerabilities to target for remediation, CISA is effectively leveling the playing field for agencies in terms of prioritization,” said Tim Erlin, VP of strategy for security provider Tripwire. “It’s no longer up to individual agencies to decide which vulnerabilities are the highest priority to patch. The positive outcome to expect here is that agencies will address these vulnerabilities more effectively with this guidance. There’s also a risk that this approach won’t account for nuances in how risk is assessed for each agency, but there’s plenty of evidence that such nuances aren’t being accounted for now either.”
SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Of course, the actual work and accountability still lie within each department. Toward that end, CISA is requiring certain deadlines and deliverables.
Within 60 days, agencies must review and update their vulnerability management policies and procedures and provide copies of them if requested. Agencies must set up a process by which it can patch the security flaws identified by CISA, which means assigning roles and responsibilities, establishing internal tracking and reporting and validating when the vulnerabilities have been patched.
However, patch management can still be a tricky process, requiring the proper time and people to test and deploy each patch. To help in that area, the federal government needs to provide further guidance beyond the new directive.
“This directive focuses on patching systems to meet the upgrades provided by vendors, and while this may seem like a simple task, many government organizations struggle to develop the necessary patch management programs that will keep their software and infrastructure fully supported and patched on an ongoing basis,” said Nabil Hannan, managing director of vulnerability management firm NetSPI.
“To remediate this, the Biden administration should develop specific guidelines on how to build and manage these systems, as well as directives on how to properly test for security issues on an ongoing basis,” Hannan added. “This additional support will create a stronger security posture across government networks that will protect against evolving adversary threats, instead of just providing an immediate, temporary fix to the problem at hand.”