Defense Secretary Mark Esper speaks at the Department of Homeland Security’s cyber summit held by CISA last year. CISA ordered civilian agencies to identify and patch all assets known to be affected by the Log4J vulnerability before Christmas (Credit: Department of Defense)

The Cybersecurity and Infrastructure Security Agency has ordered civilian federal agencies to identify and patch all known IT assets affected by the Log4J vulnerabilities before Christmas or remove them from agency networks.

The mandate, part of an emergency directive the agency issued Friday, reflects the heightened anxiety that federal agencies could be compromised by the broad-based Java vulnerability during the holidays.

Agencies have until 5pm on Dec. 23 to list all public facing systems and solution stacks that are open to the internet, cross reference those systems against a list of affected assets CISA has compiled through GitHub and apply the latest patches or mitigate the vulnerability through other means. If they’re not able to patch, agencies must remove those assets from their IT networks by the same deadline unless doing so would result in “grave risk to the Federal Enterprise.”

“For all solution stacks containing software that agencies identified as affected: assume compromise, identify common post-exploit sources and activity, and persistently investigate and monitor for signs of malicious activity and anomalous traffic patterns,” the order reads.

Before the new year, agencies will need to report all affected software products to CISA, including the vendor, application version and report previous efforts to mitigate. CISA will also have to issue report on the bug, its impact on the federal enterprise and any outstanding issues to the Secretary of Homeland Security and Director of the Office of Management and Budget in February.

In a statement, Easterly said the decision to issue an emergency order was based on a number of factors, including evidence that threat actors are rapidly exploiting the vulnerability in other organizations, the prevalence of the affected code among federal agencies, the high potential for a compromise and the damaging impact it could cause to federal cybersecurity.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a statement. “CISA has issued this emergency directive to drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk. CISA also strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive. If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”  

Just a day before the order was issued, Secretary of Homeland Security Alejandro Mayorkas said his department was "extraordinarily concerned" about the vulnerability and was treating mitigation efforts as an emergency.

“It’s uppermost in our minds and quite frankly, uppermost in our action plans,” Mayorkas said at an event hosted by the German Marshall Fund.

After reports on Log4J and its broad potential impact began surfacing in early December, CISA Director Jen Easterly referred to the vulnerability as one of the worst she’s seen in her career. The agency had already added the bug to a list of high impact and exploited vulnerabilities that agencies must patch within two weeks, but the emergency order underscores the desire by federal cybersecurity officials to put agencies further ahead of the exploitation curve.