November 5, 2021
The Biden administration ordered federal agencies to patch roughly 300 cybersecurity vulnerabilities believed to expose government computer systems to potentially damaging intrusions. About 200 of the threats were discovered by cybersecurity experts between 2017 and 2020, while another 90 flaws were found in 2021. All are known to be used by malicious cyber actors, said Cybersecurity and Infrastructure Security Agency director Jen Easterly in a statement accompanying the directive. The agencies have been given two weeks to patch the 2021 threats and six months to fix the older defects.
The CISA-issued Binding Operational Directive (BOD) 22-01 applies to “all executive branch departments and agencies except for the Defense Department, the Central Intelligence Agency and the Office of the Director of National Intelligence,” The Wall Street Journal reports.
CISA is a division of the Department of Homeland Security. The directive covers “all software and hardware found on federal information systems, including those managed on agency premises or hosted by third parties on an agency’s behalf,” targeting remediation for both Internet-facing and non-Internet facing assets, according to CISA’s press release.
“Organizations of all sizes, including the federal government, must protect against malicious cyber actors who seek to infiltrate our systems, compromise our data, and endanger American lives,” DHS Secretary Alejandro Mayorkas was quoted in WSJ as saying about the new order, which “requires federal civilian departments and agencies to protect against critical known vulnerabilities, which will reduce the risk of malicious intrusion and increase our collective cybersecurity.”
Federal agencies are typically given discretion to maintain their own cybersecurity patch management programs, which means that while some of the flaws identified have already been addressed, others have been ignored by agencies that “chronically underperform in addressing cyber risks, according to numerous internal audits over the last several years,” notes WSJ.
President Biden has prioritized cybersecurity since taking office, and his administration has regularly issued orders to “patch immediately” since the beginning of the year. Companies like Microsoft — which along with Qualcomm, Citrix, Cisco, IBM, Google Chrome and Apple made the list of known vulnerabilities — have said that it is often a lackadaisical attitude toward installing software updates that results in exposure to attack.