US federal agencies told to patch hundreds of security bugs

The Biden administration has ordered nearly all federal agencies to patch hundreds of security bugs, some that were first found the best part of a decade ago.

The new binding operational directive, issued by the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday, gives federal agencies six months to fix more than 300 security vulnerabilities that it has identified as carrying “significant risk” to their networks. Agencies have just two weeks to fix the more recent bugs from 2021, the directive said.

CISA said these security bugs, some of which date back to 2014 and 2015, are a “frequent attack vector” for cybercriminals targeting federal agencies.

The directive, first reported by The Wall Street Journal, applies to most civilian federal agencies, but carves out exceptions for networks run by the military and under the Defense Department or the intelligence community, which are managed separately.

Federal agencies are largely left to manage their cybersecurity efforts, like rolling out security patches. Since 2015, federal agencies were first mandated to fix “critical” security bugs within a month of public disclosure, and in 2019 that was expanded to include fixes for high-severity bugs as well.

But the government’s own watchdog has said some federal agencies still struggle with the cybersecurity basics. According to the Journal, many of the bugs in the new directive weren’t previously covered, a tacit nod to how seemingly less-impactful bugs can still cause significant damage or disruption if exploited.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” said CISA Director Jen Easterly in a statement.

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” said Easterly.

Rep. Jim Langevin, a member of the House Armed Services’ subcommittee on cyber, said the CISA directive “will go a long way towards strengthening network security and improving our federal cyber hygiene.”