Security Experts:

CISA's 'Must Patch' List Puts Spotlight on Vulnerability Management Processes

The U.S. Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities can be useful not only for helping organizations patch high-risk vulnerabilities in their systems, but also to help them build or improve vulnerability management processes.

When CISA announced the Known Exploited Vulnerabilities Catalog in November, it listed roughly 300 security holes. Another 50 vulnerabilities have been added to the list since its launch.

CISA has confirmed for SecurityWeek that all vulnerabilities included in the catalog have been exploited in real world attacks, even if in some cases there do not appear to be any public reports of malicious exploitation.

The launch of the list was accompanied by Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to identify and address known exploited vulnerabilities within defined timeframes — newer flaws need to be patched within two weeks while older issues must be fixed within six months.

CISA Known Exploited Vulnerabilities CatalogBOD 22-01 also requires agencies to report on the status of vulnerabilities listed in the repository.

CISA told SecurityWeek that formal reporting will begin in the coming weeks, but the cybersecurity agency has clarified that those who fail to meet the deadlines are not penalized.

“CISA works with agencies on an ongoing basis to help them understand cyber directive requirements, ensure they are making progress based on the timelines set, and identify and resolve any potential challenges they may face,” explained a CISA spokesperson.

“Agencies are required by federal law to comply with CISA directives,” they added. “In cases where an agency does not fully comply within a required timeframe, CISA works closely with senior agency leadership to address any constraints and ensure prompt adherence.”

Hank Schless, senior manager of security solutions at mobile security firm Lookout, noted that non-compliance with the BOD “could be detrimental to the organization, its customers or users, and our national security.”

On the other hand, Schless said, “It’s encouraging to see that CISA is willing to work with those organizations that are having difficulty complying rather than penalizing them. If there’s a legitimate reason that certain groups can’t manage all of these vulnerabilities in their infrastructure, it’s better to help them get it resolved versus putting them on the chopping block. This type of collaboration makes everyone safer, and more broadly across the cybersecurity industry this type of cooperative work has proven to make both public and private sector organizations more secure.”

CISA said agencies have taken action to ensure compliance with the directive, and also pointed out that many are not only working to patch the exploited vulnerabilities, but also building a new vulnerability management process.

“Actions to remediate these known exploited vulnerabilities build on years of tremendous work by the federal government and are part of a broader effort to enable federal agencies, as well as public and private sector organizations, to improve vulnerability management practices and dramatically reduce their exposure to cyberattacks,” CISA told SecurityWeek.

Alex Iftimie, co-chair of Morrison & Foerster’s Global Risk and Crisis Management group, believes that “success has to be measured not just by cleaning house on previously identified vulnerabilities, but by creating a repeatable process to inventory software in your environment, stay on top of newly disclosed vulnerabilities, and patch vulnerabilities within agreed-upon timeframes.”

Alan Brill, senior managing director with Kroll's Cyber Risk practice, said an effective strategy for organizations is to balance investment in vulnerability management, threat intelligence, and detection and response capabilities.

“[Organizations] need to be able to detect, identify, and prioritize critical vulnerabilities based on their own digital footprint, as well as confidently respond. Striking this balance will minimize potential damage caused by attackers, regardless of how they got in,” Brill explained.

According to Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, the fact that agencies are working on building new vulnerability management processes is “exactly the right focus.”

“In the long run having more automation and process around vulnerability remediation provides better protection and resiliency against future cyber threats,” Broomhead told SecurityWeek. “This emphasis makes sure that meeting the CISA BOD’s requirements is not a ‘one and done’, but instead leads to more efficient and ongoing cyber protection to remediate all cyber vulnerabilities.”

Tal Morgenstern, co-founder and CPO at cyber risk management company Vulcan Cyber, believes both public and private organizations “must follow CISA’s lead now and dedicate meaningful resources into improving vulnerability management program maturity with the objective to drive risk mitigation outcomes.”

John Slye, federal market analyst at project management solutions provider Deltek, said CISA’s catalog of known exploited vulnerabilities can have both operational and financial impacts on government contractors.

On one hand, these contractors will need to work with agencies and supply chain vendors to ensure that the requirements of the BOD are met, and they might need to make changes to contracts or service level agreements and the operational cost of compliance might need to be absorbed by the contractor.

On the other hand, Slye pointed out, “the elements of CISA’s directive that require agencies to review and improve their internal vulnerability management procedures and remediation processes may spur some new business opportunities for contractors that specialize in these areas. Agencies look to these companies for help in upping their game and these opportunities may increase in parallel with the number and scope of cybersecurity directives that are issued.”

Related: Risk-Based Vulnerability Management is a Must for Security & Compliance

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to 'Must-Patch' List

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.