Written by Tim Starks
Nov 3, 2021 | CYBERSCOOP
The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch nearly 300 known, exploited vulnerabilities in a directive published Wednesday.
It’s a change from past practice for Binding Operational Directives from the Department of Homeland Security’s main cyber wing. The orders have focused more frequently on one major vulnerability at a time, or has directed agencies to set up broader policies addressing subjects like establishing vulnerability disclosure programs. As rationale, the agency pointed to issues in Microsoft Exchange technology that suspected Chinese hackers seized upon to target victims worldwide in early 2021.
Under the order, agencies must patch vulnerabilities from a CISA-created catalog by dates that range from two weeks for flaws observed this year to six months for those prior. Further, agencies must build a process for fixing such vulnerabilities on an ongoing basis in the future.
CISA said the directive is a response to its belief that the widely adhered-to Common Vulnerability Scoring System that ranks vulnerabilities from “critical” to “low” doesn’t always accurately depict a given threat, citing one of this year’s most widespread intrusions.
“Attackers chained four vulnerabilities, all subsequently rated as ‘high,’ to