Vulnerability Management and U.S. Government MSSPs: DHS Directive Explained
The Department of Homeland Security’s (DHS) cyber unit has ordered federal agencies to immediately fix hundreds of known hardware and software vulnerabilities already exploited by threat actors to attack government networks and systems.
In a rare binding operational directive, the Cybersecurity and Infrastructure Security Agency (CISA) has cataloged nearly 300 security flaws it wants fixed that “carry significant risk to the federal enterprise.” Since 2015, DHS and CISA have issued only 10 such mandates around pressing issues, two of which were subsequently revoked and superseded.
The order has multiple implications for managed security service providers (MSSPs). Among the variables to note:
- MSSP Leaders: MSSPs that proactively patched government systems before the order arrived could potentially solidify their reputations within and across U.S. government agencies.
- MSSP Laggards: Government-focused MSSPs that are late to the patching effort could be left scrambling to close agency vulnerabilities, while also trying to explain why the vulnerabilities weren’t addressed proactively (assuming patching was the MSSP’s responsibility).
- MSSP Opportunists: MSSPs that are seeking to enter the U.S. government market or expand their vertical market footprint can pitch vulnerability assessment and patch management services to help win business during this key moment for agency IT departments.
U.S. Government Agencies and Vulnerability Management: The Directive Explained
The binding operational directive, termed BOD 22-01 Reducing the Significant Risk of Known Exploited Vulnerabilities, sets remediation requirements agencies must follow to shore up identified software and hardware flaws found on federal information systems, whether on premise or hosted by a third-party. It covers about 90 known security flaws identified this year alone and roughly another 200 observed in use by hackers dating to 2017, and applies to federal, executive branch, departments and agencies.
CISA said it will determine which vulnerabilities warrant inclusion in the catalog based on “reliable evidence” of hackers exploiting the flaw to infect public or private organizations. The directive adds to an earlier CISA order that establishes remediation requirements for flaws on internet-facing federal information systems.
Its lynchpin is the speed at which CISA is compelling agencies to audit their internal procedures to manage vulnerabilities and apply patches. Entities must review and update their processes within 60 days and remediate within six months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and inside of two weeks for all other vulnerabilities. CISA said it might adjust the deadlines if the vulnerabilities present a “grave risk” to the federal government.
“These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information,” the directive reads.
U.S. Government Agencies and Vulnerability Management: Requirements
In addition to the 60-day process review, here’s what agencies must do to comply with the order:
- Provide CISA with a copy of their review policies and procedures.
- Establish a process for ongoing remediation of vulnerabilities that CISA identifies in the catalog.
- Assign roles and responsibilities for executing agency actions.
- Define necessary actions required to enable prompt response to the directive’s requirements.
- Establish internal validation and enforcement procedures to ensure adherence.
- Set internal tracking and reporting requirements to evaluate adherence with the directive.
- Remediate each vulnerability according to the timelines set in the catalog.
- Report on the status of vulnerabilities listed in the repository.
Here’s what CISA will do:
- Maintain the catalog of known exploited vulnerabilities and alert agencies of updates for awareness and action.
- Publish the thresholds and conditions for including and adding vulnerabilities to the catalog.
- Review the directive to account for changes in the general cybersecurity landscape.
- Consider issuing more guidance to include best practices for managing security vulnerabilities.
- At the end of each fiscal year, provide a status report to DHS, the Office of Management and Budget (OMB) and the National Cyber Director.
While not saying so directly, it’s clear that the high-profile cyber hijackings of the past few months have inspired the directive, particularly the SolarWinds Orion event that engulfed nine government agencies and cascaded to more than 100 businesses.