Federal agencies ordered to patch hundreds of vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered all federal agencies to immediately begin work on patching hundreds of cyber vulnerabilities, warning that malicious actors are continuing to target U.S. critical infrastructure. 

The new binding operational directive outlines almost 300 vulnerabilities, 200 from between 2017 and 2020 and 90 from 2021, that federal agencies must work to patch, all of which are outlined in a catalog that will be updated as more critical vulnerabilities are discovered.

Agencies have six months to patch for vulnerabilities discovered prior to 2021, and two weeks to patch those discovered this year, though the order noted that these timelines could be sped up “in the case of grave risk to the Federal Enterprise.”

The order also requires that federal agencies update and establish a process for addressing the vulnerabilities, and that they submit reports on the status of patching. 

“Every day, our adversaries are using known vulnerabilities to target federal agencies,” CISA Director Jen Easterly said in a statement Wednesday. “As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors.”

While the directive only applies to federal agencies, Easterly warned that private sector groups should also patch these vulnerabilities. 

“We know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” Easterly said. “It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

The directive was issued after a difficult year in cybersecurity that has seen multiple major cyber incidents. These have included what has become known as the SolarWinds hack, which allowed Russian government-backed hackers to compromise nine federal agencies and at least 100 private sector groups for much of 2020 through exploiting software vulnerabilities. 

Earlier this year, Chinese hackers began taking advantage of vulnerabilities in Microsoft’s Exchange Server application to target thousands of organizations. CISA issued separate binding operational directives for both the SolarWinds and Microsoft Exchange Server incidents, ordering agencies to patch the vulnerabilities involved. 

Ransomware attacks have also shot up, including attacks on Colonial Pipeline, meat producer JBS USA, and hospitals across the country, with CISA warning Wednesday that these malicious hacking efforts are still a threat. 

“Currently, threat actors have launched increasingly damaging attacks against our nation’s information systems, targeting critical infrastructure such as water and oil suppliers, schools, and even hospitals,” a fact sheet on the new directive reads. “These attacks threaten our safety, our economy, and even our lives. Organizations are struggling to keep up with the increased sophistication and persistence of their cyber adversaries.”

Key officials, including National Cyber Director Chris Inglis, on Wednesday expressed support for the directive.

“CISA announced a new Binding Operational Directive this morning,” Inglis tweeted. “I look forward to working with @CISAgov and @OMBPress to ensure a whole-of-government approach to mitigating the vulnerability risks associated with the BOD.”

Rep. Jim Langevin (D-R.I.), chair of the House Armed Services Committee’s cybersecurity subcommittee, said that the directive “will go a long way towards strengthening network security and improving our federal cyber hygiene.”

“In our increasingly internet-connected world, cybersecurity vulnerabilities abound, but we need to pay special attention to vulnerabilities that we know hackers are already using,” Langevin said in a statement. “Although the Department of Homeland Security has long focused on patching Internet facing systems, today’s Directive is a great example of CISA prioritizing risk mitigation for internal networks by identifying fixes federal agencies must apply as quickly as possible.”