The Cybersecurity and Infrastructure Security Agency (CISA) has released a new binding operational directive that requires federal civilian agencies to patch certain cyber vulnerabilities within three days.
Assessing Vulnerability Seriousness
The directive includes four criteria for assessing the seriousness of a vulnerability: whether the vulnerability is exposed to the public internet, whether the vulnerability is listed in the known exploited vulnerabilities (KEV) catalog, whether the exploit can be automated, and what level of control an adversary will have over a vulnerable system due to the malicious activity, according to CISA Acting Executive Assistant Director for Cybersecurity Chris Butera.
Prioritization System
Federal agencies will now need to patch vulnerabilities that meet three of those four criteria within 72 hours. CISA is giving agencies 180 days to adopt the new patching time frame, according to the directive. Specifically, the three-day timeline will apply to currently exploited vulnerabilities that can be automated and would give malicious actors some control over systems facing the internet.
When agencies determine that hackers can use a vulnerability to take complete control of a system, they will be required to examine systems to gauge whether they have been compromised and patch within three days. Agencies will have up to two weeks to patch vulnerabilities that meet the above criteria but are not automatable as long as a threat actor has not taken full control of a system.
Implementation and Support
It is unclear how easy it will be for strapped federal agencies to triage threats to assess whether they meet the four criteria. However, CISA believes agencies should be able to do their work in three days and will support agencies that need help executing within the tight time frame.
CISA has analyzed how often federal agencies are contending with threats that meet three of the four criteria and require a patch within 72 hours. At one federal agency CISA studied, only 1% of vulnerabilities required patching within three days while more than 60% were less serious, requiring patching only at the time of the next system update.
Legislative Support
Also on Wednesday, Sen. Mark Warner (D-VA) introduced legislation that directs CISA to collaborate with industry and regulators to modernize cybersecurity defense. "As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment," Warner said in a statement.
"CISA is empowering federal civilian agencies to focus their efforts on the areas of highest risk and defer patching lower priority vulnerabilities," Acting CISA Director Nick Andersen said in a statement. "This directive provides clear definitions, timelines, and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation."
CISA is strongly urging state, tribal and local governments as well as critical infrastructure owners and operators to adopt similar vulnerability management regimes. "This new directive expedites and prioritizes the cyber defense of civilian federal government information systems, prioritizing IT and security operations’ attention on the most at-risk assets," Butera said.
"Defenders cannot afford to take weeks to patch systems that can be autonomously exploited in mass," Butera added. "Applying a patch generally does not evict a threat actor," a CISA press release said. The directive also mandates that agencies check when and how a vulnerable system was compromised before patching.
The new directive is part of a larger effort to address the heightened threat environment posed by the rise of artificial intelligence. "It's particularly important now, given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in these assets," Butera said.
Source: The Record