As hackers launched increasingly damaging threats against critical infrastructures such as hospitals, the Cybersecurity and Infrastructure Security Agency is requiring all federal agencies to patch cyber vulnerabilities within six months, according to a Nov. 3 directive.
Four things to know:
- Under the binding operational directive, federal agencies must establish policies to remediate approximately 300 known exploited vulnerabilities known to CISA within 60 days. Federal agencies have two weeks to patch vulnerabilities discovered in 2021 and six months to patch vulnerabilities discovered prior to 2021.
- The status of vulnerabilities must be reported through the Continuous Diagnostics Mitigation dashboard. Agencies will submit quarterly reports through the dashboard until Oct. 1, 2022, when agencies will be required to update their status biweekly.
- CISA Director Jen Easterly said in a Nov. 3 statement obtained by The Hill that the directive applies only to federal agencies, though she added that private companies should consider taking similar precautions.
"We know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities," Ms. Easterly said. "It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog." - CISA said in a Nov. 3 fact sheet about the directive that in 2020, industry partners identified 18,358 new cybersecurity vulnerabilities. Of those vulnerabilities, 10,342 are classified as critical or high severity.