The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a catalog of known exploited network vulnerabilities and ordered federal agencies to mitigate these security risks within specific timelines.
The Department of Homeland Security agency also hopes that private sector entities take heed and use the catalog to patch these vulnerabilities on their networks.
“I think is really groundbreaking in that for the first time this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries, not just all vulnerabilities but the ones we think are the most dangerous, and I think that can make a real difference not just for federal agencies but from a signaling perspective for our critical infrastructure owners and operators and from businesses large and small around the country,” CISA Director Jen Easterly told the House Homeland Security Committee on Wednesday during a hearing to discuss how the U.S. is working to strengthen its cybersecurity posture.
Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, includes hundreds of vulnerabilities added to the catalog on Wednesday that CISA plans to update regularly.
The challenge to go remediate every vulnerability is daunting. CISA said that in 2020 more than 18,000 cyber vulnerabilities were identified, making it difficult for any organization to prioritize what needs to be fixed given limited resources. The agency says the new BOD makes it easier for organizations by focusing on known exploited vulnerabilities.
Easterly told the panel that the BOD also requires federal agencies to “update their security programs to effectively account for these requirements.”
The directive covers hardware and software hosted by agencies or by third parties for agencies.
During the hearing, Rep. Mariannette Miller-Meeks (R-Iowa) asked Easterly for an update on new authority that Congress granted CISA as part of the fiscal year 2021 National Defense Authorization Act allowing the agency to subpoena internet service providers for contact information when the agency discovers cyber vulnerabilities on a network but is essentially blind as to who’s network it is. Easterly replied that in the less than one-year that CISA has had the administrative subpoena authority, it has “aggressively” pursued its authorities and “operationalized” them by issuing more than 35 subpoenas that have led to remediating the vulnerabilities.
After notifying the affected entity, CISA will “rescan the infrastructure where we saw those vulnerabilities” and has seen that they are “closed,” Easterly said.
“So, we believe this tool is enabling us to mitigate and remediate vulnerabilities and to make folks aware of vulnerabilities that they probably were not tracking,” she said.