CISA orders civilian agencies to fix known flaws in six months

The binding operational directive issued Nov. 3 requires federal agencies to remediate known exploited vulnerabilities on their networks under specific timeframes is also intended to serve as guidance for the private sector and state and local governments.


The Cybersecurity and Infrastructure Security Agency (CISA) put federal civilian agencies on a six-month clock to remediate known vulnerabilities with a new binding operational directive released on Wednesday.

CISA Director Jen Easterly told members of the House Homeland Security Committee at a hearing on Wednesday that the new directive will help federal agencies to prioritize their efforts to patch actively exploited vulnerabilities on their networks, while sending a clear message to private businesses, as well as state, local, tribal and territorial governments about which vulnerabilities should be immediately addressed.

"For the first time, this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries, not just all vulnerabilities but the ones that we think are most dangerous," Easterly said. "I think that can make a real difference, not just for federal agencies, but from a signaling perspective for critical infrastructure owners and operators, and from businesses large and small around the country."

As part of the directive, CISA released a publicly-available catalog featuring known exploited vulnerabilities and established specific timeframes for federal agencies to remediate those risks. More than 18,000 new cybersecurity vulnerabilities potentially impacting both federal agencies and private companies were discovered just last year, according to CISA, which classified over 10,000 of those as "critical" or "high severity" vulnerabilities.

The directive on reducing risks of known exploited vulnerabilities was announced shortly before Easterly's appearance alongside National Cyber Director Chris Inglis to discuss cybersecurity challenges with lawmakers.

Inglis stressed the need for permanent funding to address critical cybersecurity risks, saying his office was "currently constrained" and "unable to hire key staff" due to the lack of investments.

"Without appropriations, we remain limited in our ability to hire key staff members, make necessary procurement and acquisitions, and find permanent office space for our future, full complement of staff," Inglis said. "More fundamentally, the lack of appropriations inhibits our ability to plan and delays our ability to quickly and fully realize the role of the [national cyber director]."

The CISA catalog features 90 exploited vulnerabilities identified last year and nearly 200 discovered between 2017 and 2020 which pose significant risks to networks. CISA said it would continue to regularly update the catalog as new vulnerabilities were identified which meet specific thresholds. Those thresholds require the exploited vulnerability to have undergone an executive-level review at CISA, as well as reliable evidence that vulnerability has been actively exploited and that a clear remediation action exists to address the issue.

The directive also gives agencies 60 days to respond to CISA with detailed information on their own vulnerability management policies and practices, including information on roles and responsibilities.