The new requirement is one of the most wide-reaching cybersecurity mandates ever imposed on the federal government. It covers about 200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers, according to a draft document detailing the order. Those flaws will be listed in a new federal catalog as carrying “significant risk to the federal enterprise.”
The directive—which will be released by Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security—applies to all executive branch departments and agencies except for the Defense Department, the Central Intelligence Agency and the Office of the Director of National Intelligence. Cybersecurity for civilian federal agencies is typically managed separately from the military and national security agencies.
“Organizations of all sizes, including the federal government, must protect against malicious cyber actors who seek to infiltrate our systems, compromise our data, and endanger American lives,” DHS Secretary Alejandro Mayorkas said in a statement alongside the directive. The new order “requires federal civilian departments and agencies to protect against critical known vulnerabilities, which will reduce the risk of malicious intrusion and increase our collective cybersecurity.”
Federal agencies typically maintain their own cybersecurity patch management programs, so it is likely that some of the flaws being highlighted in the new order have already been addressed by parts of the government. But some agencies chronically underperform in addressing cyber risks, according to numerous internal audits over the last several years, and senior U.S. officials have long said more mandates are necessary to ensure better patch practices and broader adoption of best practices.
DHS previously imposed cybersecurity mandates on government agencies, often in the form of emergency requirements for an immediate fix to a critical software problem being used in an active cyberattack. A 2017 order was issued by the Trump administration to purge software from Russian antivirus company Kaspersky Lab from federal networks amid espionage concerns by U.S. intelligence officials.
In 2015, an order required federal agencies to fix critical risk cybersecurity flaws within a month of detection. The risk label is based on a public industry database that categorizes flaws based on perceived severity. In 2019, DHS extended the requirement to include high risk vulnerabilities as well.
Wednesday’s directive attempts to move away from such categories by recognizing that even seemingly minor flaws can cause major damage if hackers exploit them to invade a valuable computer network, especially if they are chained in an attack with other flaws.
It covers all software and hardware on federal information systems, including those hosted by third parties—such as federal contractors—and includes those that wouldn’t necessarily meet the generally accepted threshold for critical or high risk. It is also the first directive to require governmentwide fixes concerning both internet-connected systems and those maintained offline.
A significant majority of the flaws being published on the DHS catalog are ones that weren’t covered under previous orders, a senior official said. Those listed from 2021 will require fixes within two weeks and, going forward, newly added flaws could require faster mitigation, the official said. Agencies will have up to six months to address security holes found in previous years because they are less likely to carry a high risk of exploitation and there may be a backlog as cybersecurity teams address the more recently disclosed flaws.
President Biden has sought to highlight cybersecurity as a prioritized national security threat since taking office in January. Wednesday’s directive follows several organizational changes at the White House and State Department to elevate the issue and a push to place cybersecurity mandates on some private industries, including pipelines and trains, after several presidential administrations of both parties largely relied on voluntary industry standards.
“While this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” Ms. Easterly said in a statement accompanying the new order. “It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”