US gov agencies get mandatory patching orders – Security

The United States Cybersecurity and Infrastructure Security Agency (CISA) has made it compulsory that all parts of the federal government quickly patch against known vulnerabilities.

CISA’s Binding Operative Directive 22-01 sets out that agencies must establish a remediation process for identified vulnerabilities, and ensure they have roles and responsibilites to do so.

Agencies are required to remediate vulnerabilities listed in a CISA-managed vulnerability catalogue.

Several highly-publicised bugs are listed in the catalogue, including the one in the Accellion File Transfer Application that was used to breach the Reserve Bank of New Zealand and NSW Health.

The catalogue lists over 400 vulnerabilities presently.

Flaws with Common Vulnerabilities and Exposures (CVE) identifiers assigned prior to this year must be remediated within six months.

All other vulnerabilities must be patched within two weeks, a deadline that could be shortened if the flaws are serious enough.

Reporting of patching against vulnerabilities will also be mandatory for government agencies.

CISA will also provide a report to the US Secretary of Homeland Security, the Director of Office Management and Budget, and the National Cyber Security Director on the status of the patching effort.

A rise in exploited vulnerabilities with agencies being slow to patch against them is the reason for the CISA directive.