CISA Issues Binding Directive on Security Updates to Federal Agencies
On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) issued binding operational directive (BOD) 26-04 to civilian agencies.
The measure prioritizes security updates based on risk, explained Chris Butera, CISA’s acting executive assistant director for cybersecurity.
Butera spoke about CISA’s latest BOD on a call Wednesday with the media. The directive was released on CISA’s website.
Directive 26-04 “improves upon” several other CISA actions, including its 2019 vulnerability remediation requirements for internet accessible systems, its known exploited vulnerabilities catalog directive, or KEV catalog, and its 2022 BOD, on reducing significant risks of known exploited vulnerabilities, Butera noted.
“For over 11 years, CISA has been assessing progress and gaps with our mobility management-related directives that include gathering insights on agencies, publicly exposed assets, tracking the evolving tactics and demonstrated capabilities of nation and adversarial threat actors, observing emerging AI capabilities and having frank yet thoughtful discussions with both federal agencies and our industry partners,” Butera stated.
Under BOD 26-04, organizations are required to patch the most severe vulnerabilities within three days. These can be classified as vulnerabilities that apply to assets (hardware or software as part of an information technology (IT) system), publicly exposed vulnerabilities (on public networks or the internet), partial control and total control (the degree to which threat actors can control the software, network or IT system).
“BOD 26-04 requires federal civilian agencies to assess and align their vulnerability management policies to reduce cybersecurity risk according to four criteria,” he explained. “Specifically, vulnerabilities with three or more of these attributes are the most detrimental of the vulnerabilities that we see, required patching within three days.”
Other vulnerabilities are subject to longer patching timelines or, in some cases, even the next system upgrade.
Within 60 days, all federal civilian agencies must update their agency vulnerability management processes and procedures to support ongoing vulnerability remediation.
This is to be done based on vulnerabilities identified in CISA’s Common Vulnerabilities and Exposures database—created for the government by the MITRE Corporation—as well as software and system vulnerabilities identified in CISA’s KEV catalog, CISA indicated.
“This new directive expedites and prioritizes the cyber defense of civilian federal government information systems,” Butera said. “Prioritizing IT and security operations attention on the most at-risk assets is particularly important now, given advancements in artificial intelligence, which allow threat actors to find and exploit vulnerabilities in these assets. Defenders cannot afford to take weeks to patch systems that can be autonomously exploited.”
Despite severe cuts to federal civilian agencies’ budgets and personnel from President Donald Trump and his Department of Government Efficiency efforts, CISA is confident that federal organizations can addres the worst vulnerabilities within three days, Butera stated.
“We do believe that agencies should be able to meet the three-day deadline. That is why we didn't choose, for example, a 24-hour deadline,” he clarified. “And the agencies will be able to meet it.”
For agencies new to such efforts, CISA understands the challenge, the acting executive assistant director noted.
“We do understand that some of this is going to be a newer step for some of the federal agencies to do,” Butera said. “We do have the ability to assist with triage analysis, for example. We also gave the agencies a good runway to implement some of the new vulnerability management processes, in 180 days.”
Ultimately, this new framework of patching smarter, not harder, ensures that federal civilian agencies address the most critical of vulnerabilities.
CISA has found that only 1% of federal agencies’ vulnerabilities required patching within three days, while more than 60% could be deferred to the next system update.
“Ultimately, this new framework of patching smarter, not harder, ensures that federal civilian agencies address the most critical of vulnerabilities,” Butera stated. “Additionally, this directive incorporates feedback we have received over the years from federal agencies and stakeholders to add further prioritization within the KVE catalog.”
And while the directive is only a mandate for federal civilian agencies, CISA would like to see military organizations take similar steps as best practices.
“Our authorities only extend to the federal civilian executive branch,” Butera clarified. “We really believe that most of our directives can be used as best practices or requirements. That is why we encourage all entities to use that as the best practice, as well as we post them publicly.”
The agency also “strongly encouraged” all state and local partners and critical infrastructure owners and operators to adopt the actions outlined in the BOD to their vulnerability management programs.
“Today, finding operational directives, prioritizing security updates based on risk is an important milestone in this journey and a significant step forward in reducing cybersecurity risk while enhancing efficiency,” Butera stated.
For more information, see BOD 26-04 on CISA’s website.
Comments