The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new directive aimed at reinforcing the cybersecurity measures of federal agencies. This directive, released on Wednesday, mandates that agencies give precedence to correcting the most critical security vulnerabilities.
Enhancing Federal Network Security
In 2021, CISA introduced the Known Exploited Vulnerabilities (KEV) catalog along with BOD 22-01, instructing agencies to promptly address vulnerabilities listed in the catalog. The new directive, titled ‘Binding Operational Directive 26-04: Prioritizing Security Updates Based on Risk,’ builds upon these initiatives to further secure federal networks.
The directive aligns with the Office of Management and Budget’s Circular A-130, which provides guidelines for managing federal information resources. It requires agencies to reassess their vulnerability management strategies, share these policies with CISA upon request, and focus on resolving weaknesses identified in the KEV catalog.
Responsibilities and Timelines
Federal agencies are now tasked with monitoring updates to the KEV catalog and addressing issues according to specified timelines. They must ensure continuous remediation of vulnerabilities and automate the reporting of their status. Furthermore, they need to tag assets that are accessible externally.
To aid this process, CISA commits to updating the KEV catalog with the latest exploited vulnerabilities and providing relevant metadata and guidance. The agency has also outlined data requirements for asset tagging within 60 days, facilitating standardized reporting.
Focus on Critical Vulnerabilities
Security flaws in publicly accessible assets, especially those that can be exploited through automation, need to be resolved within three days. The same urgency applies to vulnerabilities that provide complete control over a compromised asset, regardless of automation capabilities.
If a vulnerability poses a lower risk, not appearing in the KEV list or affecting less exposed assets, the remediation period extends to 14 or 60 days. Nonetheless, agencies are encouraged to address any significant threats that could lead to full control if automation is feasible.
Kevin E. Greene, chief cybersecurity technologist at BeyondTrust, highlighted the importance of addressing privilege debt alongside CVE prioritization. He pointed out that understanding the path to a privilege plane is crucial in making a CVE operationally ineffective, even with high CVSS scores.
As CISA continues to refine its approach to cybersecurity, federal agencies are urged to adapt swiftly, ensuring robust defenses against emerging threats.
