The US government has ordered all civilian federal agencies to patch, in six months time, hundreds of cybersecurity vulnerabilities found between 2017 and 2020.
The new order, by the Joe Biden administration on Wednesday, is one of the most wide-reaching cybersecurity mandates ever imposed on the federal government, the Wall Street Journal reported.
The cybersecurity vulnerabilities are considered major risks for damaging intrusions into government computer systems.
The directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers about 200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have been observed being used by malicious hackers. Those flaws were listed in a new federal catalogue as carrying “significant risk to the federal enterprises”, the report said.
“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly, in a statement.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” Easterly added.
Federal agencies have six months to patch older threats and just two weeks to fix the ones that were discovered within the past year.
The goal is to force federal agencies to fix all potential threats, whether they’re major or not, and establish a basic list for other private and public organisations to follow.
“While this Directive applies to federal civilian agencies, we know that organisations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organisation adopt this Directive and prioritise mitigation of vulnerabilities listed in CISA’s public catalog,” Easterly said.
In 2015, a similar order gave federal agencies one month to fix threats deemed “critical risks”. This was, however, changed in 2019 to include threats categorised as “high risk”.
The new mandate does not prioritise based on threat levels, but emphasises the need to recognise small flaws that can quickly cause larger problems if hackers can find a way to take advantage of them.
Since President Biden entered office in January, this year, cybersecurity has been a major concern. In May, he signed an executive order to help prevent future cybersecurity disasters.
The order mandates two-factor authentication across the federal government, establishes a protocol for responding to cyberattacks, and forms a Cybersecurity Safety Review Board, among other safety measures.