According to The Wall Street Journal, the Biden administration has ordered hundreds of cybersecurity flaws to be fixed by civilian federal agencies. According to the WSJ, the BOD 22-01 directive issued by the Cybersecurity and Infrastructure Security Agency, (CISA), covers approximately 200 known cybersecurity threats discovered between 2017 and 2020. There are also 90 additional flaws that were discovered in 2021. Federal agencies have six months to address older threats, and only two weeks to address those that were discovered in the last year.
The WSJ report reveals that federal agencies are often left to their own devices in security matters, which can sometimes lead to poor security management. Federal agencies must fix all possible threats, regardless of how serious, and create a standard for private and public organizations. Although zero-day vulnerabilities, which exploit previously undiscovered openings, are often the most prominent stories, it is possible to address the specific vulnerabilities that are causing harm right away.
The federal agencies have six months to address older threats
Previously, federal agencies were given one month by a 2015 order to address threats deemed critical. The WSJ pointed out that this was extended to threats deemed high-risk. This new mandate does not prioritize specific threat levels but acknowledges that hackers can exploit small gaps to cause bigger problems.
Jen Easterly, CISA director, said that the Directive sets clear requirements for federal civil agencies to immediately take action to improve vulnerability management practices and reduce cyber attack exposure. This Directive is only applicable to federal civil agencies. However, it is known that these vulnerabilities are used by critical infrastructure entities across the country. Every organization should adopt this Directive and prioritise mitigation of vulnerabilities from the CISAs public catalogue.
CISA's new list of known vulnerabilities includes the Microsoft Exchange Server flaw. Four security holes were discovered that could have prevented hackers from hacking emails belonging to more than 30,000 US government and commercial agencies. CISAs requires that the Microsoft Exchange Remote Code Execution Vulnerability be patched. Federal agencies are asked to install SolarWinds patches before May 2022.
Solarwinds Orion Platform, also listed on the list, was also compromised in a hack that took place in late 2020 and compromised US government agencies. CISA points out that SolarWinds Orion API could be vulnerable to an authentication bypass, which could enable remote attackers to execute API commands.
Since his election, President Biden has made cybersecurity a top priority. He signed an executive order in May to prevent future cybersecurity disasters. This executive order requires two-factor authentication throughout the federal government. It also establishes a protocol to respond to cyberattacks and creates a Cybersecurity Safety review Board.