CISA orders federal agencies to “patch smarter”

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive that will change how the US federal government approaches vulnerability management.

The directive arrives as the patching problem has become nearly unmanageable, driven by a surge in newly published vulnerabilities and by AI tools that are accelerating both security research and exploit development on the attacker side.

Towards risk-based vulnerability management

BOD 26-04 introduces a framework that allow federal civilian Executive Branch agencies to make risk-based decisions about what to fix and how fast.

The decision rests on four factors: whether the vulnerability affects internet-facing systems, whether it appears in CISA’s Known Exploited Vulnerabilities catalog, whether it can be exploited in automated attacks, and whether exploitation gives attackers partial or total control of the affected system(s).

A flaw that, for example, hands an attacker complete control of an internet-exposed system, is actively exploited, and can be exploited at scale represents the highest tier of urgency, requires agencies to remediate it within three and days check whether it has already been exploited in their environment.

Remediation timelines mandated by the BOD (Source: CISA)

CISA has been fortright about a notable gap in the framework’s scope: The directive concentrates on the network perimeter and does not impose the same urgency for addressing vulnerabilities inside the network core.

That’s because threat actors don’t compromise core networks primarily through product vulnerabilities, the agency explained.

“Instead, threat actors often use exploitable configurations and valid credentials — a technique known as living off the land (LOTL). LOTL is better addressed through other means, such as hardening system configurations, network segmentation, and phishing-resistant multi-factor authentication (MFA) enforcement.”

Other signals worth watching

While BOD 26-04 represents a meaningful leap forward from CVSS-severity-only patching, experts have also been advising that organizations consider other signals when deciding how quickly to patch.

Cisco Talos’ Thorsten Rosendahl, for example, argues that each vulnerability’s dynamic EPSS score – that is, the probability that indicates how likely it will be exploited in the next 30 days, based on real-world signals – should be taken into consideration.

Also, that organizations should consider checking Global CVE for a global understanding on which vulnerabilities are being exploited.

Recently, NIST proposed yet another metric and asked the cybersecurity community to evaluate it: Likely Exploited Vulnerabilities (LEV), which is an estimate of how likely it is that a vulnerability has already been used in attacks.

CISA, for its part, has said it will review the directive and update its implementation guidance on a rolling basis, “to account for changes in the general cybersecurity landscape.”

Related video:

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!