The US government has ordered all civilian federal agencies to patch hundreds of cybersecurity vulnerabilities found between 2017 and 2020.
The new order, by the Joe Biden administration on Wednesday, is one of the most wide-reaching cybersecurity mandates ever imposed on the federal government, the Wall Street Journal reported.
Cybersecurity vulnerabilities are considered major risks for damaging intrusions into government computer systems.
The directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers about 200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have been observed being used by malicious hackers. Those flaws were listed in a new federal catalog as carrying “significant risk to the federal enterprises”, the report said.
“Every day, our adversaries are using known vulnerabilities to target federal agencies. As the operational lead for federal cybersecurity, we are using our directive authority to drive cybersecurity efforts toward mitigation of those specific vulnerabilities that we know to be actively used by malicious cyber actors,” said CISA Director Jen Easterly, in a statement.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyberattacks,” Easterly added.
Federal agencies have six months to patch older threats and just two weeks to fix the ones that were discovered within the past year.
The goal is to force federal agencies to fix all potential threats, whether they’re major or not, and establish a basic list for other private and public organizations to follow.
“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” Easterly said.
In 2015, a similar order gave federal agencies one month to fix threats deemed “critical risks”. This was, however, changed in 2019 to include threats categorized as “high risk”.
The new mandate does not prioritize based on threat levels but emphasizes the need to recognize small flaws that can quickly cause larger problems if hackers can find a way to take advantage of them.
Since President Biden entered office in January, this year, cybersecurity has been a major concern. In May, he signed an executive order to help prevent future cybersecurity disasters.
The order mandates two-factor authentication across the federal government to establish a protocol for responding to cyberattacks and forms a Cybersecurity Safety Review Board, among other safety measures.
