The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday.
It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or have directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021.
Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future.
CISA said the directive is a response to its belief that the widely adhered-to Common Vulnerability Scoring System that ranks vulnerabilities from “critical” to “low” doesn’t always accurately depict a given threat, citing one of this year’s most widespread intrusions.
“Attackers chained four vulnerabilities, all subsequently rated as ‘high,’ to successfully exploit Microsoft Exchange servers,” the agency explained. “This methodology, known as ‘chaining,’ uses small vulnerabilities to first gain a foothold, then exploits additional vulnerabilities to escalate privilege on an incremental basis.”
Binding Operational Directives only have authority over the federal government. But CISA, an agency increasingly at the center of debates about whether it should have more regulatory authority, has used them as explicit leverage to try to pressure the private sector and others to adopt their approach.
“Every day, our adversaries are using known vulnerabilities to target federal agencies,” said CISA Director Jen Easterly. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”