Agencies must now map patching to a list of nearly 300 known and exploited software and hardware vulnerabilities and report to the Cybersecurity and Infrastructure Security Agency and National Cyber Director on their progress. (Photo by Kevin Dietsch/Getty Images)

The Cybersecurity and Infrastructure Security Agency has issued a cybersecurity order that compels civilian federal agencies to ensure they aren’t vulnerable to previously exploited software and hardware bugs.

In a new binding operational directive, the agency put forward a list of nearly 300 known and exploited vulnerabilities that “carry significant risk to the federal enterprise." The order gives agencies a timeline of six months to patch if the vulnerability was reported prior to 2021. For all the others, they have two weeks.

“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” CISA Director Jen Easterly said in a statement.

The order comes with a number of other timelines. Federal civilian agencies have two months to update their vulnerability management procedures to align with the new directive, assign roles to staff, identify action items, establish validation procedures and set internal tracking and reporting requirements.

They must also provide CISA with regular updates on the patching through the federal Continuous Diagnostics and Mitigation dashboard and send quarterly reports through an online tool called CyberScope.

CISA, for its part, will maintain and update the catalog with new vulnerabilities and develop annual reports for the National Cyber Director and the Office of Management and Budget. and the agency said this new directive would compliment – but not replace – a directive issued in 2019 that was focused on patching critical vulnerabilities in a timely fashion.

Vulnerability management was at the heart of the first-ever binding operational directive issued by CISA, and it has been a perpetual focus for the agency since its inception. It reflects the reality that most compromises of government and private networks are facilitated in part by or in whole by known or reported bugs that could have been closed off with better patching practices. Both the U.S. government and private threat intelligence firms have highlighted how threat actors have increasingly moved to weaponize newly discovered vulnerabilities, in order to take advantage of the lag time it usually takes for a certain percentage of organizations to patch. This was an issue during exploitation of the Microsoft Exchange Server vulnerabilities, for example.

It also reflects the need to focus the attention of overstretched IT security staff in the midst of what can seem like an endless deluge of reported software and hardware vulnerabilities. According to a fact sheet provided by CISA, there were more than 18,000 reported CVEs in 2020, of which more than 10,000 – or 28 a day – were categorized critical or high severity. By prioritizing the nearly 300 flaws that cybersecurity officials know have been used or leveraged against the federal government, it could offer agencies a roadmap to significantly reducing their exposure to known, successful hacks.

Easterly also made it clear that the agency believes many of the same vulnerabilities listed in the catalog are also being used against targets in the private sector.

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” she said.